The DRM Dictionary:Terms, Technologies, Companies, and More !

0-9

The "Hacker Quarterly", a Web site and (now electronic) magazine devoted to, what else, hacking. The name derives from a legendary incident decades ago in which the phone hacker John Draper discovered that the sound from a toy whistle found in Captain Crunch cereal was a precise 2600 hertz which, due to the multi-tone in-band signaling system employed at the time, could be used to steal long-distance service from the phone network ("phreaking"). The hacker subsequently adopted the moniker "Cap'n Crunch" and took his place in history. The phone network has evolved so that this particular attack is no longer useful, and the group has diversified and grown up, for example engaging in advocacy relating to the DMCA and those charged with violating it.

An illustrative lesson about business and the DMCA: a company whose only product existed to easily copy DVD movies. In most jurisdictions, that would have lead to an interesting shades-of-gray discussion about fair use and personal backups vs. piracy and so forth. In the USA however, thanks to the DMCA and the fact that the technology incorporated the verboten "circumvention measures" (i.e. the logic of deCSS), things are more black and white, and 321 was sued into oblivion in 2004. It is still possible to copy DVDs of course, you just have to get software from somewhere else to do it.

A consortium that licenses patents required to make DVD players, consisting of Sony, Phillips, Pioneer, and recently LG. Their profile was raised in early 2005 when most of them joined the Marlin group, and also when they were sued by Chinese DVD player manufacturers claiming discriminatory pricing.

A consortium of 5 computer technology companies (IBM, Intel, Matsushita, and Toshiba, who are the 4C Entity, plus Hitachi) which fosters the production of, and subsequently licenses, intellectual property associated with content control. The 5C entity emphasizes secure transmission e.g. over domestic IEEE 1394 links, while the 4C Entity emphasizes secure storage. Also known as dtcp.com, and the "Digital Transmission Licensing Authority."

A

A leader in technology for electronic documents, perhaps best known for the PDF document format. They have a plug-in framework for their PDF software which third parties can plug functions into including DRM. The DRM was famously cracked in 2002 by Russian security expert Dmitry Sklyarov, who was arrested shortly after pointing out the systems weaknesses at a conference. More recently Adobe's Flash Player and associated proprietary DRM were in wide use for consumer digital video, but Apple would not support Flash on their wildly popular iPad, so Adobe is moving on the HTML5. Adobe of course also makes good money from other products such as PhotoShop.

A supplier of forensic watermark technology for the digital audio industry. They are based near Microsoft in Seattle, from whom they have licensed relevant software technology. They claim that their system is both inaudible to "Golden Ear" testers, and able to survive various manipulations such as encoding with perceptual codecs. Given that the media industry has more of less given up on DRM for pure audio, it's not clear that there's much demand for such technology.

The primary copy protection scheme for high-definition video disks; here's an EE Times article from when the scheme was first being established in 2004. It is administered by the AACS Licensing Authority which has a most impressive roster of members including IBM, Intel, Microsoft and Sony. AACS was agreed upon as a common copy-protection standard even when both HD-DVD (remember them?) and Blu-Ray were both in the running.
Cracks for AACS starting coming out in 2007 and evolved to the point that ripping Blu-ray discs protected only by AACS is trivial for anyone who cares to find and download the relevant (admittedly illegal) software. The additional protection technology of BD+ is used on many Blu-ray disks and does raise the bar against illegal copying. However, the whole Blu-Ray ecosystem is so encumbered with legacy constraints and ecosystem issues (such as backwards compatibility and the leakage of movies from within studio or release channels) that is it not clear how much BD+ can stem the tide.

A standard for symmetric cryptography endorsed - after open technical competition - by the National Institute of Standards and Technology in the USA. Because it's free, secure, and subject to intense scrutiny by the cryptographic community, AES is the obvious choice for the symmetric requirements of many security applications including DRM. Most DRM applications use 128-bit AES somewhere in their architecture. A decade ago, AES was often not used for persistent content encryption because of processing power limitations; more lightweight stream ciphers such as RC4 were often used. However nowadays even a cell phone has the power to run AES - and the content providers want the related security - so most DRM schemes use it.

A UK-based DRM technology company which apparently had solutions in the Enterprise space for both Web and Office documents, as well as for software. This seemed pretty ambitious and perhaps it was, as they disappeared around 2012.

Also known as 1800software. A Digital Rights Management technology vendor which specialized in PC game DRM and reputedly had PC Video DRM in development. They were bought out by Real Networks in January 2001.

A business which assembles and distributes a collection of content from various content providers under one banner, typically in the form of downloadable content on a Web site. Today the household names of downloadable, DRM protected content, such as iTunes and Amazon are aggregators, which works just fine. In the early days of DRM, however, this seemed a radical idea. Major content providers either were not in the game, or expected consumers to visit them directly (e.g. get a movie from Columbia Studios). Obviously, consumers don't want to worry about which label their favorite artist works for this month, so in an electronic world, the content providers have become less visible to consumers than the major aggregators.

The Reader's Digest of Internet Service Providers in the late 1990s - remember the movie "You've Got Mail"? They might have become a giant in the DRM-protected media world. But they stumbled badly, notably by being way too late to switch to broadband. They merged with Time-Warner in 2000, at the height of the tech boom, but it went so badly that Time Warner removed the "AOL" from the combined company's name shortly after.

A continuously variable quantitative value, such as the air pressure variations caused by sound, electrical voltage on wires connected to speakers producing sound, or the wavelength of colors in a photograph. This is in contrast to the constrained values (in the simplest case, 1 or 0) which can be represented in the digital domain.

Analog signals can be extremely high quality, however, transmitting them and recording them in high quality is expensive and time-consuming - and even with the best available techniques, analog copies degrade through the generations. That is why, even though analog techniques for content piracy have always been available, they were largely ignored by content owners, because they have not been used enough to significantly diminish retail sales of original media.

Of course, content owners are dogged in their pursuit of protection, and would even like to prevent analog copying if they could. See The Analog Hole.

Rovi's (formerly Macrovision) ubiquitous analog video anti-copy technology, best known for preventing easy copying of DVDs to VCR tapes. It operated by fouling up the analog TV signal in a way that TVs could cope with but analog VCRs could not. Also known as "Analog Protection System" or APS. The links at Rovi describing this technology have disappeared, which is hardly surprising as the technology is irrelevant in a world of digital PVRs and HDMI cables.

The potential weakness in a digital content-protection scheme that arises from converting the digital signal to analog, copying it, and re-converting it to a digital format with copy control removed. As far ago as 2002, some content owners argued that copy protection should be built-in to the relevant electronic hardware components: analog-to-digital and digital-to-analog converters, as per this EE Times Article. In the United States, there have been attempts to legislate-in such technology, such as this one from 2005. These have been largely abandoned now since the content owner's concerns have largely switched to protecting premium (e.g. High-Definition content), which for practical purposes is an all-digital situation.

The most successful smart phone platform in the world by a considerable margin, by volume of hand sets in use. The OS is semi-open, nominally open-source, centrally controlled by Google but ported to different phones by OEMs such as Samsung. Android owes a large part of its success to being royalty-free, feature rich, and very easily accessible to developers. Because Google does not control the phones, the phone networks, or the OS update mechanisms, the Android ecosystem is far less homogeneous than its most notable competitor, Apple's iOS. For instance, iOS users can easily pick up new version of the OS directly from Apple, and the vast majority do so regularly, so the Apple ecosystem overall moves to new releases quite quickly and Apple profits through ongoing stickiness and security of revenue-generating services such as iTunes and iCloud. An Android phone user cannot get a new version of the OS from Google, but rather must rely on the particular manufacturer for their phone - and neither phone manufacturers, nor phone system operators, have much incentive to support such upgrades - once the phone has been sold, that is an unwelcome and unprofitable support call. Android is a derivative of Linux.

From a DRM perspective, Android is challenging. The diversity of hand sets, the large range of versions in use, the open nature of the platform (for instance, anyone can develop a signed app), and the quirks of OEM implementations mean that a secure media app cannot be assumed to have the same degree of security on different phones.

A defunct Japanese online music service spearheaded by Sony. Sony has a bad case of "not Invented here" and originally (circa 2004) as per this EE Times article,the content was protected by weird DRM and played on proprietary portable Consumer Electronics players and not on PCs. The service apparently wound down in early 2013.

The common name used for consumer software applications, especially in the form they are distributed in for mobile devices such as tablets and smart-phones. In the last decade, Apps have become incredibly important from economic, technological and security points of view. Capabilities that previously were the domain of fixed-function devices (e.g. playing audio or video on an iPod) are now simply software applications which run, along with millions of others, on general-purpose devices which are more powerful than desktop PCs were a few years ago. Both Android and iOS have thriving "App Stores" and associated developer ecosystems which have low barriers to entry. The result is a fantastic huge, thriving, ever-changing landscape of Apps, which is great for consumers.

It's a bit more problematic from a security point of view, since the general-purpose nature of the dominant App platforms makes them easier to attack. Apple has an advantage here because they control their entire ecosystem including both the music/move service (iTunes) and good built-in client device security. In general though content providers are concerned with the degree of security attainable on the relevant platforms and are pushing for the use of additional hardware security such as TEEs.

A logical connection through which one software component talks to another, usually within one computer and invisible to most end users. APIs are significant from a security point of view because they are a great place to attack. For example, the API to a "decrypt" subroutine might get passed the true key to a given piece of content, making that API call a great place to try a key discovery attack.

The "other", love-em-or-hate-em, personal computer - and now phone and media - company. For a long time Apple deliberately avoided Digital Rights Management - indeed, the late Steve Jobs pontificated against the whole idea of DRM in the late 1990s. But in 2003, Apple introduced iTunes and iPods, which have set the standard for the genre ever since. The DRM, called FairPlay, is periodically cracked (here's one example), but that doesn't seem to slow them down too much.

Indeed, Apple has been so successful that they decided to remove DRM from their music in 2009. Their service is so good that most people, most of the time, will pay 99 cents a tune to download from them even if they could get the same content for free elsewhere.

It is fair to say that since then online distribution in general and iTunes in particular have completely changed the music industry. Entire albums and physical CDs are now oddities for collectors in a world of 99 cent downloaded single tracks. The major music labels dislike the dominance that Apple has over the distribution of their wares. But Apple is giving consumers what they want and are still king of the online music hill. If they are to be eclipsed it will probably not be by a better download service but a streaming alternative such as Spotify

Apple is doing for video what they did for music, since iTunes now distributes movies and TV shows as well as music, and they have introduced video-oriented devices such as Apple TV. For such video, good DRM is still a requirement. It remains to be seen if Apple can duplicate their music success with video. There are notable competitors, such as Roku and the ChromeCast. And Hollywood would clearly like to keep Apple down, but their own comparable initiatives, such as the Digital Entertainment Content Ecosystem, are not notably successful yet.

A family of cryptographic techniques which makes use of the one-way nature of certain mathematical functions, which results in a system where two separate keys are used. They are usually called "public" and "private" keys, and either key can be used to encrypt or decrypt data. If one of the keys is used to encrypt content then the other must be used to decrypt it, and knowing one key does not help you discover the other. This is also known as "public key" cryptography, because a sender of encrypted messages can make one key public. That key can read messages sent by him, or encrypt messages that only he can read; only he can create messages using his private key. Asymmetric cryptography is extremely powerful, can provide functions in addition to confidentiality (such as digital signatures), and scales well in large user communities. However it is also extremely compute-intensive, so in practical systems such as TLS (formerly SSL) and most DRM systems, it is usually used in combination with symmetric cryptography.

"Adaptive TRansform Acoustic Coding", a proprietary audio codec from Sony, originally used in Mini Disc players, which later incorporated Sony's proprietary MagicGate DRM. The technology was fine, but it just goes to show that Sony has always had a "Not Invented Here" problem. Does the world really need another manufacturer-specific codec and DRM scheme? I think not. Sony's description is here. It's not clear if there is anything left of this technology today.

An "open forum for open DRM", Authena was a clearing house for information relating to open-source content management including DRM. This looked to be a losing cause to your scribe years ago, and indeed Authena no longer exists. Both technologically and philosophically, Open Source and DRM do not make a comfortable combination.

A security company head quartered in Florida with a wide variety of technologies on offer, from DRM to fingerprint sensors to near-field communications. They were bought by Apple in 2012, At the time Apple's intention was not clear, but it has since become obvious that they wanted Authentec's fingerprint and NFC technology and not their DRM.

The art and science of detecting exactly what person - or what physical or logical device or entity - you are dealing with in a specific interaction. For DRM purposes, typically authentication works in a client/server context with the main security burden on the server. It is challenging to do with high security on the public Internet using open devices such as PCs or mobile phones, because such schemes usually require cryptographic secrets to be hidden on the devices, and it's very hard to hide such secrets from a determined attacker in such an environment. That is why, historically, systems requiring strong authentication either were not Internet based, or added robust additional hardware overhead (such as smart cards and associated procedures) to Internet-based access. Recently, as the computing power and hardware assist available even on inexpensive consumer platforms such as mobile phones has become more sophisticated, it is becoming feasible to do reliable authentication with them without the use of add-ons such as smart cards.

The counterpart of B2C, above: a business paradigm which provides infrastructure to other businesses. For DRM, there are two forks to this paradigm. Some companies focus on DRM for corporate assets, typically known as "Enterprise Content Management", and their clients are their corporate end-users. Others, such as Irdeto, produce technology which is used in turn by operators or consumer electronics companies in the media business, where the end-user typically has no awareness that the company's technology is in the device.

A part of every PC and video game console, which controls various aspects of the systems operation, notably the bootstrap process. In game consoles, the BIOS is a fundamental part of the anti-piracy strategy and early game consoles were typically cracked by attacking it to break the "chain of trust" required for overall security (e.g. mechanisms such as Code Signing) As systems have become more complex and more online, the BIOS, while it a theoretical attack point for security, is usually not the target of choice; most attackers focus on software at the application or OS level.

An Open-Source implementation (from Dartmouth University) of a trusted computing platform for Linux, built according to TCPA principles. The intent is admirably democratic: taking TCPA out of the hands of mega-corporations and putting it into the hands of the people... but one suspects that "the people" (especially the ones who contribute to Open Source developments) probably do not want TCPA in the first place. Indeed, the Web site shows little sign of activity since 2004.

A California company which, based on this Patent, staked a claim to the idea of inserting license information for a DRM system into the BIOS of a PC. Beeble ceased operations in 2004. The patent and principals resurfaced briefly at Ancoratech, which has also disappeared since.

BigChapagne started out tracking trends in illegal downloading and reporting them to the record labels think of Nielson ratings for Kazaa ;-). Illegal downloading is less of an issue than it once was, so they have wisely adopted by including data on legal downloads as well.

A technology of authentication which identifies individual humans based on unique physical characteristics which are hard to spoof, such as finger prints, retina patterns, or voice prints. Despite what you might think from James Bond films, biometrics is an imperfect science - see crossover error rate for more on that. As a result, it is rarely used on its own, but rather as part of two-factor authentication system where the biometric identity adds more confidence to a candidate identity already established by some other factor, such as a password. Biometrics today is way too heavyweight and expensive for mass-market DRM and is mostly found in high-security applications in government and industry. Musicrypt was the only example that comes to mind of a mainstream DRM company that tried (unsuccessfully) to use biometrics.

A Peer-to_peer protocol which underpins vast flows of large files - many of them pirated media - over the Internet. By some accounts, BitTorrent alone counts for a substantial fraction of overall traffic on the Internet. Content providers hate it because it is, unquestionably, used to widely share pirated content. It also has legitimate uses, which muddies the picture. Users of BitTorrent should be aware that their computers are usually technically set up to be distributors of files as well as collectors of them. Is is therefore possible to detect such users, and there is some risk (depending on the legalities in a particular region) that ISPs could be pressured to identify such users.

A component whose boundaries are well defined and whose inputs and outputs can be observed (and perhaps the inputs manipulated), but whose internal operations cannot be observed. For DRM and similar applications, a well-designed physical black box provides perhaps the best currently attainable level of protection. Smart cards are one kind of black box. In the media world, a Super Audio CD player were "black boxes" whose inputs were AC power and an SACD disk, and whose output was multiple channels of analog audio. Compliant SACD players cannot have unencrypted or raw digital outputs. What is hidden inside the box - and what the SACD designers didn't want anyone to figure out - are mechanisms such as encryption, watermarking, media binding etc. which try to prevent both digital copying of SACD disks, and the creation by home users of their own playable SACD disks.

A PC, by contrast, is a white box, whose internals are very open to inspection, reverse engineering etc. Most of the initiatives to make PCs more secure, such as NGSCB and secure audio path, amount to putting little black boxes inside the white box of the PC.

The Blu-ray media disc, the high-definition physical media format which finally won out in early 2008 over its rival HD-DVD. Blu-Ray, like HD-VD, uses the AACS protection scheme and sometimes more. The security arsenal is considerable, including bringing revocation and "push" software updates (contained on the media disks) to the mass-market Consumer Electronics domain for the first time. The AACS scheme has been widely cracked; however it is supplemented by the BD+ system on many disks. BD+ proper has not been cracked but due to the complexities of the ecosystem (many different players as potential sources of of key leakage, for example) it is often possible to copy BD+ protected disks, although the mechanisms for doing so are not very convenient and it's not an especialy common practice among consumers.

A common but undesirable attribute of many software-based secure systems, including most digital content control technologies, namely, that if one person produces an effective attack such as a content-protection crack, others can use it anywhere, in the worst case for all content on all systems using similar software.

An attack which seeks to defeat security schemes using passwords, serial numbers, cryptographic keys, or similar secret data, simply by "guessing" and trying every possible value until one works. As a rule, brute-force attacks are ineffective against well-implemented systems. If the system is cryptographic, keys in modern cryptography are quite long and an exhaustive search would take many years- perhaps millions of years - with current technology. As for logon passwords, measures such as a lockout after a certain number of unsuccessful attempts can slow the attacker to a crawl (unless he's doing a local attack on a copy of your password file, in which case you have other problems- and it still takes quite a while). Serial numbers usually have internal validity checks so that randomly guessed values would mostly not even pass those checks. As a result, brute-force attacks are rarely used by hackers, who prefer other techniques such as key discovery, keygens, clear text interception, or social engineering instead.

How all of the players involved in a business transaction or ecosystem make money, starting with the end consumer and on through the value chain. What's this got to do with DRM ? Plenty. Often DRM technology has languished while companies squabbled over how to share on-line revenue that they would never get in the first place, either because their business offers sucked, or because the expenses and the revenues were not coming in to the same party.

Today there is an online content business, and it has a standard retail model: the 99 cent music-single download, years late though it may be. Behind the Web site, however, it's still a mess, with half-a-dozen parties haggling for their share of the revenue, and profits being elusive for most of them. This is in large part the result of Byzantine licensing rules and entrenched players such as the major record labels.

Now that the genie of healthy competition is out of the bottle, it cannot be put back in, much as some of the embattled incumbents would like it to be. Major artists who can get by without a label - or up-and-coming artists who never had one in the first place - can go direct to on-line. Further, all-you-can-eat subscription business models are appearing as alternatives to paying per tune. This is certainly a good thing for on-line content.

An optional add-on data area sometimes used on DVD media. Originally proposed by the now-defunct Divx video-rental company, it is a way of putting unique information such as serial numbers on otherwise mass-produced and identical DVDs. This is because putting data on the BCA uses a laser as an additional step after the stamping of the DVD. The BCA is also in a section of the disc which could be read but not written by consumer DVD burners, thus helping copy protection schemes. More recent formats are capable of burning it however. Because the BCA adds expense to the production process it was not widely used, the only notable exception being Playstation 2 games.

An early (July 2003) entrant into the on-line music distribution business. Launched by Scot Blum, the founder of buy.com, it uses Microsoft Windows Media Player technology and was the first answer for Windows users to Apple's then Mac-only iTunes service. It apparently didn't last, as of early 2013 the link is redirected to a part of buy.com where physical CDs are sold.

UK-based company which developed CD anti-copy technology for software and audio. They were bought-out by Macrovision, now Rovi, in 1999, which morphed their technology into the "SafeAudio", safecast and CDS products. Macrovision also acquired related technology from TTR so they appeared to be serious about the CD anti-copy market. This market never took off and the idea of protecting audio CDs from copying seems absurd today.

The leading utility for managing - and usually in practice, also for cracking the protection of, eBooks. It's an easily downloaded, free, open-source tool which supports a wide variety of ebook formats. It has a plug-in structure which provides considerable flexibility and also has the convenient property that the functions that might be considered piratical are isolated in specific plug-ins and not part of the core tool. In an informal study done by a student for your scribe in 2011, most of the pirated ebooks on the Internet appeared to have been converted to unprotected formats using Calibre.

To be fair to the folks behind Calibre, there is a reasonable argument based on fair use for at least being able to make personal copies of a book you bought that won't disappear if you choose the wrong eBook vendor. But of course anti-copy technology can't tell what's fair use and what isn't.

A digital document which uses cryptographic techniques to create a mathematically unspoofable association between some data and an entity that certifies that data. Certificates have many flavors and applications. The best-known one is probably the X.509 certificates issued by companies such as Verisign which act as "certification authorities" for the identity of a Web merchant in SSL sessions, as used to provide privacy for credit-card transactions. In such cases the certificate is associated with a public-private (asymmetric) key pair which was created by the same certification authority, and the public key is actually part of the certificate.

In the world of consumer DRM, certificates are common now. They are almost always "under the hood", identifying components of the end-to-end infrastructure and not the actual consumer, so the consumer is not usually aware of their existence or function.

A classic business dilemma where one method of selling something reduces the revenues that would otherwise be obtained from another method. For example, selling software through online downloads reduces the revenue of retail software stores. In the worst case, a poorly chosen new channel can simultaneously alienate major partners and reduce overall revenues. Fear of channel conflict is endemic in the content industry. Unfortunately, sometimes the most significant competitive channels are "unofficial" ones - such as peer-to-peer networks- which generate no revenue and content owners don't control. In the long run the only way for content owners to succeed is to recognize the whole channel set, including channels inside and outside their control, and optimize it so that it most consumers prefer the legitimate channels and so generate a reasonable return on investment.

The ability of a DRM system on one platform, such as a PC, to "lend" a copy of a controlled asset to another platform - such as a mobile device or another PC, - in such a way that the asset behaves like a physical one, such as a library book. That is, it is "checked out" from the original system and cannot be accessed from there until it is later "checked in" from the other device. The intent is to support space shifting without helping make possibly unlimited, illegitimate copies. However it is extremely hard to implement in such a way that it is both secure and convenient, and considering that it closes a relatively small security gap, it is not clear that it will become a mainstream feature of DRM systems any time soon.

The intimidation of corporations or citizens based on allegations - usually in letters from lawyers- that their (typically on-line) activities are in violation of some law such as the DMCA. The problem is that it usually doesn't matter whether the allegations have merit or not. Most recipients of such letters simply give in regardless, because they cannot afford the distraction and cost of a legal fight. DMCA takedown orders, while they are often legitimately protecting copyright holders property, are arguably in this category because fighting them is more trouble than it is worth. The chillingeffects.org Web Site is a clearing house for information on this activity.

An American DRM technology company founded by key executives from Divx. They developed technology to prevent the video taping of movies from theater screens using camcorders. Their main product was a fingerprint-based "secure DVD player" used for Hollywood screeners (advance movie copies sent to Hollywood insiders for award-related reviews, which have often been pirated.) They also had pool of intellectual property from Divx. They were bought by Dolby in September 2003 and no longer have an independent Web site.

Term used in cryptography for the unencrypted form of a protected data item. (The term "plain text" is also used.) An intelligent attacker of a cryptography-based system seeks to obtain a cleartext with the minimum possible effort. In the world of mass-market open systems such as PCs and mobile devices, intercepting a clear text is usually easy. All you have to do is "play" the content once, and
the content, flowing in real-time, even if intended to be hidden and transient, can often be intercepted, such as by a shim. Cleartext interception is an attack option for many pirates for audio and video, colloquially known as siphoning, although higher-level attacks such as Key Discovery are preferred when they are possible.

A North American (U.S. headquarters, Canadian R & D) technology company which provided security technology useful for DRM and other applications. They developed "packaged" media ons which enable software developers to comply with the Robustness Rules associated with media DRM standards such as PlayReady. In 2007, Cloakware was bought by Dutch Set-Top box makerIrdeto. Full disclosure: your scribe has been working for Cloakware/ Irdeto since 2004, and is still an even-handed commentator on the DRM scene - I do this on my own time ;-)

A special case of spoofing where an attacker analyzes a component of a security system (typically a physical one like a smart card) and succeeds in understanding it well enough to make "plausible" copies. These copies are good enough to fool the system (e.g. a TV service) into providing free service - free because there is either no associated subscriber, or a fraudulent association to another existing subscriber.

Marketing buzzword for the notion that most of the data and services (e.g. media, computing etc.) people want reside, not in the devices in from of them, but in a "cloud" of internet-accessed resources, the physical nature of which is irrelevant. Like most of the "next big things" in technology, those behind the curve (e.g. Microsoft) are hyping it up and those who are ahead (e.g. Apple, Google, social networks) have been quietly using "the cloud" for years. Anyone with more than one iOS device, for example, knows how stuff magically shows up on device #2 shortly after they put it onto device #1. The best implementations, like Apple's, "just work", and non-technical users like my wife have no idea what a complex problem is being solved.

MP3.com tried to provide a cloud-based music streaming service as far back as 1998, but they were too far ahead of their time both commercially and technologically.

As far as DRM goes, most DRMed content is still stored locally on people's devices, but the cloud is often used to synchronize it between devices. As good Internet connectivity becomes more ubiquitous and content providers start to accept reality, cloud-originated streaming media is becoming much more common. One of the most successful independent streaming solution providers is Spotify.

A proprietary,legacy encryption algorithm used by Microsoft to encrypt media data in their WMDRM DRM system, now superseded by AES. It was essentially a variation of RC4 which, so to speak, "rotates the shield frequencies" so the derivation of the final bytewise XOR values (keystream) has variations thrown in relative to normal RC4. When WMDRM first came out, many consumer devices were incapable of running higher-security encryption algorithms.

Short for "coder-decoder". In this context, a codec is a digital algorithm, typically executed in software, which transforms a media signal into a form optimized for transmission or storage, and then transforms it back again. For example, the seminal codec in the music space, MP3, transforms a raw PCM music signal into a form about 10 times smaller than the original. It is important to note that a codec is NOT the same as - although it may be related to - a file format

Putting a digital signature on a piece of code to provide assurance that it was produced by a known entity and is untampered. Often the techniques of PKI are used. Sometimes code signing is designed to inspire confidence in the user, as when installing browser add-ons. In the DRM world, code signing is often used to verify that rights-enforcing code has not been tampered i.e. to inspire confidence in the content owners. Today, most significant platforms (including Windows, iOS, and Android) use code signing and iOS in particular is very picky, refusing to install any app which is not code-signed by Apple. Hackers don't like code-signing and defeating it is a major aspect of the common practice of jailbreaking.

Term of art for behavioral rules which manufacturers of equipment implementing DRM must ensure their equipment follows. For example, video cards must ensure output copy protection such as HDCP is turned on if the content license so specifies. Since hackers will inevitably seek to crack systems to allow unrestricted copying, there are usually additional Robustness Rules, designed to make the system resistant to attack, which must also be complied with. In practice, Compliance Rules and Robustness Rules are technical documents tied to license contracts for particular DRM technology such as Windows Media DRM or CPRM. Here are examples of Microsoft's current Compliance and Robustness Rules for PlayReady.

A license to use content which is prescribed by law on a blanket basis for a given situation, as opposed to being negotiated between users and copyright holders. It's "compulsory" because, as a practical matter, copyright holders can't say no. They DO get paid, although the formulas by which this happens are a matter of great debate.

Compulsory license serve legitimate purposes in some arenas. Most notably, they enabled commercial radio to become a viable business by giving radio stations access to a vast range of music without having to enter into endless negotiations with thousands of copyright holders.

Some commentators (notably the EFF) argue that the current mess in digital music - P2P downloading of pirated MP3s - could be solved by compulsory licensing, but they have yet to make a compelling case. Perhaps few of us care that compulsory licensing would weaken the raison d'etre of powerful, well-connected groups like the RIAA, but the U.S. Congress does. More fundamentally, in the absence of good revenue sources for distributors, it's hard to see how the business model would work without in effect becoming a general "music tax" - which sounds wrong even to your liberal Canadian scribe, and would never fly in the USA.

There is also an emerging market for software-based conditional access, which eschews smart-cards in favor of flexible, tamper-resistant software control. Sometimes these system also use internet-based signal distribution as opposed to broadcast distribution, and in those cases use is often made of a back-channel as well, since this comes for free on the Internet.
Companies such as Irdeto have been riding this wave of change from smart-cards to software-based schemes and from broadcast (e.g. satellite) to IP delivery.

A software component which deliberately degrades (typically, by downscaling the resolution of) a video signal. The idea is that when a signal is at risk of being copied, it should not be pristine "copyable unto the Nth generation" quality, but rather behave more like a low-quality analog copy, making it undesirable as a source of pirated content. Under certain circumstances, DRM Compliance Rules might require downscaling of a high-definition signal.

Everyday fixed-function electronic appliances such as audio CD players, Blu-Ray players, TVs etc.
These are significant for DRM because the dominant formats and protection schemes, such as Red Book audio, MP3, MPEG-2, CSS, or / AACS are almost impossible to change in a way which makes it hard to steal on a PC without screwing up their performance on CE devices which are deployed in the billions.

The recent emergence of tablets and smartphones as the dominant devices in consumer hands changes this landscape appreciably. While they are arguably also "Consumer Electronics", their general-purpose, app-driven nature makes them a lot different from the bigger boxes in our living rooms. On the positive side, it is easier to keep them up to date, including from a security point of view. On the negative side, their general-purpose nature means that they are also relatively easy to attack.

A DRM technology company spun out of Xerox, based largely on DRM patents from Xerox' famous PARC research institute. In 2004 there was a controversial takeover by Microsoft, Time Warner, and Thomson. Then in 2011 it was sold in turn to Pendrell. Your scribe has no inside information and has not seen published statements about Microsoft's motives for this re-sale. However it seems very likely that Microsoft wanted to avoid the perception, both within the technology community and within (notably European) governments, that it had an unhealthy monopoly on DRM IP. Since no doubt Microsoft has licensing terms for any of the IP they feel they really need, that frees them to get on with business while Pendrell presumably goes after potential infringers of the ContentGuard IP.

A system for "renewable cryptographic method for protecting entertainment content when recorded on physical media" from the 4C Entity. CPRM has flavors for several storage media types, notably SD Cards. They also had a controversial proposal for, ATA Disk Drives for PCs, which met wide opposition. None of this seems to have gone anywhere commercially

A legacy set of guidelines for content protection in the video space developed in 2005 in co-operation with the CPTWG. It was reasonably good stuff technically but it was in the spirit of interoperabilty, which has never caught on.

A now-defunct industry forum that aimed to foster interoperability for DRM systems and to allow the extension of such systems to P2P, viral, or other distribution forms. The key concept was that an always-resolvable reference to content is an essential starting point for content-based commerce, and that details such as the format of the content are changeable and secondary. This was and is, technologically, a reasonable approach, and key players such as Microsoft were members. However it seems the usual logjam of competing commercial and IP issues has stymied it; the site showed no activity after 2003 and is now offline.

A buzzword which was used around the turn of the millennium by anyone trying to sell high-tech gear with ever-more features crammed in - cell-phones with color graphics, Internet capability, and PDA functions, for instance. Reality has more or less caught up with the buzz a decade later, as iPads, smart-phones and the like provide cheap, versatile networked computing power as well as media/entertainment capability.

A system designed to prevent digital copies being made from DVDs. There are separate versions addresses for copies which are transferred between devices in analog form (CGMS/A, now largely obsolete) and in digital form (CGMS/D). Due to fumbling between industry standards groups CGMS/A was never effective in the European PAL format.

As the name implies, a kind of opposite to copyright, used by the free software movement. Material which is "copylefted" is not only publicly available, but requires that all of its users maintain its public availability even if they modify it. The intent is that material such as open source software remains freely available as it evolves and improves, rather than becoming privatized so that access to improvements is lost.

Copy protection is the use of technology to prevent the copying of analog or digital data. By this definition, trying to make uncrackable copy protection is arguably futile. It often seems that copy protection and DRM are the same thing. This does not have to be so! More enlightened DRM approaches, such as those developed by the now-defunct :-( NetActive welcome copying as free distribution and focus on controlling how the recipient uses the copied data. Copy protection is also causing a backlash amongst consumers. A few years ago, content providers seemed determined to kill physical audio CD sales with harebrained anti-copy schemes. CDs died anyway, but that was because of iTunes, not copying from CDs, and even iTunes does not use copy protection for audio any more. The battle continues with DVD (lost) and Blu-Ray disks (struggling).

An industry consortium, apparently sponsored by the MPAA, which proposes copy protection technology. They created the Broadcast Flag proposal and are also investigated means to close the "analog hole.". As of 2013, their Web site looks pretty ghostly - it looks like Hollywood's attention re DRM is now focused in other places.

A set of cultural expectations and laws that aim to strike a balance between the ability of a creative person to get paid for her efforts, and the long-term needs of society. The details vary widely from one place to another, but the principles are commonly understood. For example, if I buy a copyrighted audio CD, a bit of copying for certain uses is OK, but a lot of copying -especially if I'm selling the copies - is not. This particular notion is called Fair Use in the USA. Unfortunately, in the face of trivially copyable digital goods, copyright in its current form is in trouble. Many software companies are attempting to get around copyright expectations they don't like by positioning their transactions as License Contracts rather than sales of copyrighted goods. Content owners can't get both traditional fair-use behavior and robust protection, so many of them are simply trying to prevent copying altogether. It's not clear how this will play out, but the current situation is clearly transitional. For more on this see our DRM Policy page.

Launched in October 2004 and finally abandoned in Dec 2012: "..a cross-industry group to promote interoperability between digital rights management (DRM) technologies...". Interoperability is a most worthwhile goal. As always, much could be learned from who was NOT a member. The Microsoft/Contentguard/Time Warner triad was missing, as was Apple. There was some good technical thinking here; for instance they demonstrated that Windows Media DRM can work in the Coral framework. But as is observed elsewhere in this document, if the dominant players don't want interoperability, it doesn't happen.

A unique identifier burned into CPU chips which is different for every chip made. This is an obvious enough idea, but it is far from ubiquitous and was first introduced by Intel in the late 1990s as a unique 64-bit number in every Pentium CPU. This generated a huge public backlash due to concerns about privacy. Stung by this, Intel determined to share any good or bad consequences for their next security initiatives, and so the Trusted Computing Platform Alliance was born. Nowadays, though CPU serial numbers per se are far from universal, there are related schemes in most architectures, but related privacy concerns remain. For instance, Apple's UDID device identifier can identify unique iOS devices, but its use by third party developers is forbidden by the App Store rules.

No, crack-trollers (you know who you are) we don't give out cracks here!(Verb): the art and science of discovering one or more security "secrets" with an aim to defeating the related security system. DRM systems for software are often "cracked" by reverse-engineering and modifying their software executable files to circumvent built-in restrictions - typically copying or usage restrictions. The term is also used for the discovery of cryptographic keys and passwords, especially when the latter are derived by analyzing a Unix-style hashed password file. It is also applied to breaking hardware-based schemes, for example, cloning GSM SIM smart cards. Sometimes the term is also used to refer generally to any malicious activity by hackers, such as breaking into other people's networks. (Noun): The captured, redistributable result of a successful "cracking" exercise - typically a password, small set of instructions, or executable code-modifying program, which allows unskilled users to circumvent built-in limitations as above.The problem of cracks is that one determined dishonest technical expert can usually enable theft of content by millions of non-technical people. (See also exploits and BOBE).

The brainchild of Larry Lessig, Creative Commons is a Web site, a technology, and a concept, all in support of Larry's ideas about what to do about copyright in the Internet era. The essence of the idea is to support direct relationships between creators and consumers of digital content, without technological copy protection but with an automated scheme that makes choosing various licensing options easy. In the intervening years, it has hardly taken over the world, but it's an interesting experiment and there is some good content in the spirit of the system - see for instance Magnatunes.

Those ubiquitous pieces of plastic which a significant part of the Internet content audience does not possess. They also aren't very good for billing small amounts of money - as Apple and others are finding out with 99 cent downloads such as those on iTunes. Theoretically, microtransactions could also fill the bill, though that road is littered with corpses. Another option is prepaid cards, which are a stocking-stuffer of choice for North American parents of teenagers.

The generally accepted figure-of-merit for biometric systems, which have been considered and rejected by several parties over the years for DRM applications. If you tune a biometric system so that the percentage of false "accepts" equals the percentage of false "rejects", that percentage (say, 1% errors) is the Crossover Error Rate. Obviously, a lower error rate is better.
You might expect that either false positives or false negatives could be eliminated altogether, but even expensive, state-of-the-art biometrics is far from achieving this. That's why biometric systems are almost never used alone to provide user authentication, but rather to provide additional confidence in a system which already has a candidate identity. Simpler technologies, such as keyboard pattern recognition and voice recognition, are the only ones that can currently be contemplated in DRM systems.

A really insidious idea from the American entertainment establishment, circa 2006: a successor to Fair Use which says, in effect, that any new creative media application may be illegal if it does not somehow make "customary historic use" of the material in question. Fortunately this didn't seem to get beyond the proposed-legislation stage. More from Ars Technica here.

Cryptography is the technology of keeping - and selectively sharing - secrets, which is a key component of Digital Rights Management systems. For more details see the entries on the most popular implementations of cryptography: symmetric cryptography, asymmetric cryptography, and PKI. Cryptography has been over sold and misunderstood in DRM circles. To help clear this up, see the more detailed analysis on the Cryptography in DRM page.

D

1)A term coined by Microsoft in their seminal 2002 paper The Darknet and the Future of Content Distribution. This paper doesn't really say anything that Internet experts didn't know already - i.e. that content protection systems will always be cracked by somebody, somewhere, and stolen content will always be illicitly traded in "dark" corners of the Internet. But the paper is significant in that is an unusual expression of candor from Microsoft, and also in that it encourages people to think beyond black and white notions of "crackability". A content management system can be crackable and still provide both good risk management for content owners, and good value for consumers.

A crack to remove CSS encryption (thus, "de-CSS") from DVD video. The quick emergence of deCSS was an embarrassment to Hollywood and rightly discredited the sort of closed-door, secret process by which the weak CSS scheme was developed. Residential broadband Internet connections, DVD burners and DVD copying software are easily accessible so this is a practical problem, though there is little data on the associated revenue loss. The studios were more careful with the next generation, building much heavier security into the blu-ray format - which got cracked anyway, it just required more work.

A paradigm according to which technology is designed, not to actually work (i.e. accomplish common-sense objectives), but to make sure that there is someone to sue when it fails. Sometimes this takes the form of laughable "protection" measures which are trivially circumventable but - gotcha ! - you can't circumvent them without violating the DMCA.

Although most politicians are lawyers, this is even more dangerous than design by lawyer, because politicians can force manufacturers - and thereby consumers - to use their bad designs through legislation. In the USA long ago, Macrovision technology was legislated into analog VCRs, which wasn't TOO bad and is irrelevant now anyway. There were two subsequent near misses - the Hollings Bill, and an equally misguided proposal endorsed by the FCC in 2003, the Broadcast Flag.

Term adopted by Microsoft in 2006 for a protected content transfer link between Microsoft devices, formerly known as CopyFromDevice (CFD). It is a quick copy mechanism used for content transfer, as opposed to real-time streaming. It debuted (at least under that name) along with the Zune portable media player, and was used for the wireless sharing feature of the Zune.

"Dynamic Feedback Arrangement Scrambling Technique". An encryption mechanism used in the digital set-top box arena, invented by (and licensed, with a little encouragement from the FCC), from CableLabs.

An interesting bit of history: an early (1995) bit of DRM-related Intellectual Property from Electronic Publishing Resources, which later became Intertrust. A copy of the paper from Usenix can be found here.

Represented by discrete values such as 1 and 0, as opposed to the continuously varying values of the analog domain. From a DRM perspective, the significance of a digital representation is that collections of 1s and 0s - such as, say, DVD movies- can be transmitted and copied perfectly for many generations. Add personal computers and hackers to the mix, and digital content piracy becomes so easy and potentially damaging that Digital Rights Management technologies are required.

The art and technology of managing large, complex, evolving collections of digital assets, such as the file sets of a large Web site, or a collection of media files which can be distributed over the Internet. Many content owners, trying to make content available on line, have found that large-scale DAM is a difficult obstacle which must be addressed for a site to be viable, whether DRM is also involved or not. This is especially true when the content has complex licensing or royalty requirements, some of which may have been negotiated years ago without taking Internet distribution into account.

Despite the generic name, this refers to a specific movie business practice and related technology whereby content providers bundle a "Digital Copy", or at the least the means to produce such a copy, with physical media such as a DVD or Blu-Ray disk. The idea is to appease consumers who might otherwise be frustrated that they cannot make personal copies for legitimate purposes - such as, for instance, watching DVD movies on their laptops without having to lug a bunch of DVDs around. Of course, anyone can copy DVDs today anyway, so it's rather pointless for that market, except that it might be a little more convenient than decss. Blu-ray disks can often be copied too, but that's a more esoteric cat-and-mouse exercise most consumers probably wouldn't bother with. The variant used for Blu-Ray is called Managed Copy. Of course physical disks are passe anyway, so the torch has been largely passed to network-based approaches such as Ultraviolet.

A Hollywood initiative dating back to 2008, to provide multi-platform, portable DRM-protected media to consumers. The most obvious fruit of their labors so far is the ultraviolet cloud-based media rights management system. The vision is good, and the motive for Hollywood is clear (to get out of Apple's stranglehold on media distribution). However the execution has been flawed and key players are not on board, which is not surprising in the face of the diverse platforms and interests involved, and several years on most consumers have no idea what DECE is.

Originally known as the Digital Home Working Group, a consortium which promotes interoperable home media networking, including DRM capabilities, with associated consumer logos. You have to pony up thousands of dollars a year or more to join and find out what they are really up to, which is arguably not a good way to get a critical mass of adoption. However, they were supported by some key players such as Intel and helped standardize a number of interoperable home media technologies, notably DTCP.

A multidisciplinary advocacy group led by Leonardo Chiariglione, which tried to help digital media out of its technical, legal, and commercial log-jams, but without much effect. The group has very little commercial support; their initial wide-ranging Digital Media Manifesto document provided a useful vision and in 2005 they published more practical specifications, but nobody with any commercial clout seems to care and the Web site, though still up, shows no sign of life since 2010.

The DMCA is legislation passed in the USA in 1998. It attempts to bring copyright legislation into the Internet age, but many observers feel that it tilts the balance of power way too far in favor of copyright holders. The DMCA is immensely controversial. Of particular concern is the massive and potentially abusive use of DMCA takedowns.

An early Rights Expression Language developed by a team led by Mark Stefik at the Xerox Palo Alto Research Center. DPRL was conceived before XML became the clear choice for metadata in general and Rights Expression in particular. Although XML implementations of DPRL were proposed, today DPRL is a historical artifact whose concepts have been adopted by XRML and ODRL.

A point-to-point encryption mechanism for use on advanced digital interconnect joining consumer electronics and PCs within the home, sponsored by the 5C entity. It has been adopted by the DLNA and is an approved output on some set-top-boxes, but not all content owners are satisfied with its security and its uptake has been limited.

Also known as Digital Video Disk. The hugely popular plastic-disk format for home viewing of movies using the MPEG-2 codec. It was the first mass-entertainment medium to feature encryption, although the security design was poor and was cracked soon after the format became common. Since then piracy of DVDs has been rampant. Constrained as they were by backward compatibility with Consumer Electronics DVD players, Hollywood could not stop this technologically.

A technological security technique involving deliberate variation between individual instances of something - typically software code or digital media - designed to make them traceable and/or to make it resistant to fixed-function attack tools such as cracks.

1) A media technology company originally focused on a codec of the same name, which, years ago, offered the best compression efficiency and was favored by the technical PC "underground" crowd. Recently, more efficient codes such as H.264 have emerged, so DivX has adapted by providing other parts of the solution as well. There was a 2006 DRM- deal with Google but Google cancelled their DRMed video service in 2007.
2) A consumer electronics company that made "trick" DVD players that called home in the late 1990s. Encrypted DVDs were used that didn't need to be returned to video stores, since their play periods were controlled by DRM technology in the players. Although the technology apparently worked as intended, commercial factors killed them in 1999. Most notably, the requirement that consumers buy a special (and more expensive, and harder to find) DVD player caused inadequate adoption rates to sustain the company. Some of their executives bounced back to found Cinea.

A pocket-size PC peripheral hardware device. Today the term can loosely cover any such device, including simple USB key chain memories. Historically, dongels were hardware anti-piracy devices which had to be plugged in for a specific software application to run on a given machine. Dongels from companies such as Aladdin or Rainbow, were typically associated with expensive CAD (Computer-Aided Design) software packages. Dongels are considered very inconvenient and are widely cracked anyway. As a result, most companies which sell dongel DRM solutions also have software-only DRM solutions. Some companies are also packaging more capable smart card technology in dongel-like packages such as key chain-sized USB plug-ins. This provides many of the benefits of a traditional smart-card without requiring a separate reader peripheral on a PC.

A collection of devices which support protected media and which can share the media, and a single license for that media, in such a way that the user can access protected content on any of the devices. Technically, this is quite hard to do when the content and license are stored on the user's device. Only two DRM ecosystems currently offer built-in support for domains, Marlin and PlayReady However there are other ways to get similar functionality - for instance, TV service operators usually have their own device management systems (e.g. user logons) and can use those to control multiple devices within a household in a way that is transparent to DRM technology.

A variation of DVD which provided high-quality digital multi channel audio. (The DVD-Audio version of Philip Glass' "Koyaanisqatsi" is astounding on high-end gear.) It competed with Sony's SACD format, and sadly neither won in the marketplace - they are still available, but mostly back-catalog inventory for collectors. Unlike the older Audio CD format, DVD-audio does have built-in copy protection using CPPMas specified by the 4C Entity. There are no material cracks your scribe is aware of, which is probably one reason for the format's very limited uptake.

Jon Lech Johansen, the Scandinavian who famously cracked CSS as a teenager and has been a thorn in the side of copy protection advocates ever since. He has a record of consistently cracking DRM schemes, often with highly skilled help. In early 2005 he managed to design an iTunes client that can buy songs without DRM from the iTunes store. Later that year he surprised many observers by moving to the USA to work for Michael Robertson. Since Hollywood would love to see this guy in jail, you'd think he'd retire from activities which violate the DMCA. However, since he recently registered the domain deaacs.com, this seems unlikely. In 2006 he started out on his own, trying to make a legitimate business of applying his reverse-engineering skills to interoperability via DoubleTwist Ventures, and shortly after that he moved back to Denmark.

A family of software reverse-engineering techniques which rely on actually running the software in question. This may seem like a trivial statement, but in fact, a lot of software can be reverse-engineered and cracked without even running it, through the techniques of Static Analysis. Dynamic analysis is harder, requiring relatively high-skill tools like debuggers, network sniffers etc. and can be impeded by quite a few technological countermeasures.

E

(Better expressed as "Content Ecosystem".) A sizable system of managed content distribution using a consistent technology base including DRM. In the early days of this dictionary, such ecosystems were primarily about media, with iTunes and Windows Media being the dominant forces. They still are, in those arenas. Today however, there are several App-based ecosystems of similar significance. First of course is Apple's App ecosystem for iOS devices, with the Android app ecosystem second.

Ecosystems are very important because it is hard to live outside of one. For example, it is much simpler for media content owners to license their content on a per-ecosystem basis, because that way they don't have to do costly and difficult security due diligence on a wide variety of content technologies - the ecosystems build that security in via licensing rules for the participants. This can make life difficult for vendors of DRM technology who are not part of such an ecosystem. Similarly, for App developers, it is most cost-effective for them to develop Apps for only one or two dominant ecosystems rather than try to address them all. This makes it more difficult for the less dominant App ecosystems (such as BlackBerry and Windows Mobile 8) to attract a critical mass of Apps.

A book in electronic form, such as Adobe's Portable Document Format or the ePub format. The term can also be applied to a physical, dedicated electronic book appliance. Around the turn of the millennium several such devices appeared, floundered, and disappeared. Then in 2007 came the Kindle from Amazon, which has become the clear leader in the field, with a significant fraction of Amazon's sales being digital downloads targeting Kindles.

As the 800-pound gorilla in the space, Amazon evidently sees no need to play nice and go along with initiatives for interoperable DRM, and does not, for instance, support the ePub format.

The EFF is an advocacy group based in California which seeks to protect principles such as free speech and privacy on the Internet. They oppose DRM in general and limitations on copying digital goods (or sharing information about related security technology) in particular. I want to like these guys; they seem to be on the side of the common man. But their idealism works against them; if Hollywood overstates the case by depicting copying as evil piracy, the EFF equally overstates the case by insisting that ALL copy control is evil. A world without any copy control would effectively eliminate the main business model of the entertainment industry and, therefore, as a matter of American political reality, is NOT going to happen, period. Their record in legal battles is also uneven, as this Register article demonstrates.

IBM's offering in the consumer DRM space, now long defunct. It had no significant content portal wins except in Japan shortly after they year 2000.

Electronic Software Distribution (ESD)

As the name implies, ESD is the distribution of software by electronic means, as opposed to physical means such as CD-ROM. These days,ESD is the dominant form of distribution e.g. via App Stores, Steam or browser-based downloads. Long ago, when ESD seemd like a nifty idea, there were companies whose only business was facilitating such delivery. Ziplock from the late 90's was probably the last one standing.

An agreement between a user of software and the software vendor, which specifies the terms and conditions for use of the software. In practice, most EULAs are "click-through" steps at software installation time, where users glance briefly at many pages of lawyer-speak before shrugging and clicking "accept". In principle a EULA is a contract, in which the software supplier can specify arbitrary terms and conditions - notably, ones which remove the user's rights such as Fair Use normally associated with copyright. However, unlike a conventional contract, a EULA permits no negotiation.

A general-purpose content-agnostic decrypt capability introduced in Microsoft's PlayReady DRM technology. It is content agnostic and lets a software application developer open and seek into encrypted files using APIs provided by the PlayReady Porting Kit. The previous WMDRM-PD technology assumed that the content being protected was audio/video media. Envelopes use 128-bit AES encryption, unlike the simpler Cocktail used by WMDRM.

An ahead-of-its-time (2003) concept for a consumer music service based on subscription-based streaming as opposed to downloading content. (More from BusinessWeek here). This wasn't a bad idea, but it was about ten years too early as judged by the eventual success case in the field, Spotify.

A binary file containing machine-level instructions which can be directly executed by the central processor of a computer, such as X86 instructions for an Intel desktop processor. (Executable files, in the broader sense, may also contain virtual instructions for execution on virtual machines such as the Java Virtual Machine; however for reasons of efficiency and security DRM is rarely applied to such virtual code.) From a DRM perspective, although all content rendering necessarily involves executable code, it makes a difference whether the executable code itself is the controlled content - say, a demo of a game - or whether the content is a media file, played by a standard media player executable. This latter is the Player / Asset model. Because an executable file can have non-trivial "hidden" behavior, it turns out that it is technically more feasible to add robust DRM functions - both protection functions and consumer-desired functions - to executable content, than to media content.

An automated tool, developed by a hacker and used to perform malicious attacks on computer systems. Exploits are usually scripts which attack ("exploit") software weaknesses over a network, and so are of more concern in network security than in DRM. Cracks on the other hand, are usually applied directly, to maliciously modify locally accessible code, and so are of direct concern in DRM systems. Producing an exploit may require considerable expertise, but using it unfortunately does not. (See script kiddies.)

A subset of Standard Generalized Markup Language (SGML), a widely used international text processing standard. XML has enjoyed tremendous uptake as the standard metadata language for the Web and in particular has become the basis for other standards such as XRML. For more information, see http://www.w3.org/XML/.

F

An interesting software anti-copy idea; in this case the term was coined by Macrovision: let copies happen but arrange for subtle side-effects of the copying to degrade the software (usually a game) over time in such a way that users will get enough of a taste to like the game, but have to go buy it to continue. As an idea it's sensible and somewhat obvious, but the devil is in the details... if such a system were used with high-value content, you can bet that highly-talented hackers would still take it apart. It doesn't seem that Macrovision ever commercially deployed such technology.

The term Apple uses for the DRM technology in their iTunes Music Service. Fairplay does control what can be done with files (for video only: in most jurisdictions they no longer apply DRM to audio), and restricts them to a world of Apple formats and associated players, but other than that it is one of the more reasonable and flexible DRM technology in widespread use. Little has been made public about its internals. It is clear that security was less of a priority than usability in its design.

A principle of copyright law in most parts of the world, though it does not usually go by that name outside the USA. It explicitly allows copying of copyrighted material under specific circumstances, such as quoting a book in a review, or making a copy of an audio recording for personal domestic use. Unfortunately, the line between legitimate fair use and piracy is usually a matter of USER INTENT, which no technology can determine. As a result, content protection technologies cannot -even in principle - exactly preserve the current notion of Fair Use and still offer robust content protection. One could hope the technology capability will evolve and the practical definition of "fair Use" will also evolve, to some middle ground acceptable to consumers and copyright holders. So far however most content owners use the most restrictive controls they can and don't worry about the fact that such controls effectively kill fair use.

A crack for Windows Media DRM, released in summer 2006, which removed the DRM encryption from the Windows Media Player files on a user's PC. Developed by a hacker known as Viodentia, it was a command-line utility which used Windows Media Player as part of its dirty work in an apparent key discovery attack. In fairness to Microsoft, several crack-free years went by prior to this problem, which is a considerable accomplishment in the space. Within a week Microsoft had issued a patch and the crackers had issued an "upgraded" crack which circumvented the patch. Such cat and mouse games never end ;-).

The leading regulatory body for telecommunications and broadcasting in the United States. Their 2003 broadcast flag ruling placed them in the midst of the DRM debate. About a year later, they stirred the pot further in a ruling that approved Specific DRM Technologies (pdf) which provided limited copying even in the face of the Broadcast Flag, despite serious opposition from content owners. It is debatable whether a government organization such as the FCC should be in the business of approving specific technologies (see design by lawyer). The particular list approved is also debatable: reportedly, all of the submitted technologies were approved, making one wonder whether there was a meaningful evaluation process.

However the eventual demise of the Broadcast Flag ruling was encouraging; it showed that content owners do not always win in Washington.

1) A broad term used for unique or pseudo-unique identifiers associated with a specific machine, user, item of content, or a combination thereof. Depending on the implementation, fingerprints can be used to aid in authentication of users or devices, or to tag a piece of downloaded digital content to associate it with a specific user. In some cases fingerprints are managed as explicit data items, and in others, they can be produced at will (close to the biological case) from any suitable context (e.g. a device or a media file) with no special requirements on the file. This is a probabilistic process that makes a different tradeoff than watermarks which, when present and detected, are always accurate. See also UID, traceability.

2) Specific term of art for technology that recognized commercial content "on-the-fly", even when that content has no inherent DRM or metadata. One potential application is that it could help P2P companies go straight by recognizing copyrighted music, which seems to be what iMesh is doing.

Special-purpose, low-level software contained on (hard-wired or periodically updateable) hardware chips. There used to be a fairly clear distinction between firmware and software, with different threat models for each. For instance early game consoles were routinely cracked by attacking their BIOS, a form of firmware. Today, in a world of mobile devices storing apps in flash memory, the distinction is not so clear. A security analyst must make more subtle distinctions about memory, such as the nature of updateability, where it can be accessed from, and where it falls in a "chain of trust" from initial hardware bootstrapping logic through bringing up an OS, to final application execution.

Applicable to questions which are of interest to the legal system. Some DRM-related technologies, notably watermarks, are well-suited to forensic applications i.e. establishing that specific content is obtained (perhaps fraudulently) from a particular source or even by a specific device or individual - this is know as "traitor tracing". In the DRM world, forensic measures do not themselves prevent unlicensed use of content, but they can help trace such leaked content. In some cases, such as the illicit rebroadcasting of high-value sports events, traitor tracing can lead to real-time shutdown of illicit streaming sources on the Web.

The layout of a digital asset such as physical media (CD/DVD), or of files containing video or music. File formats are more logical than physical and are most clearly vsibiel in the PC world where they usually correspond to file extensions e.g. .mp4 for MPEG-4 files. Note that, MP3 files aside, file formats are NOT necessarily the same as media codecs; for example, Microsoft's .avi file format supports multiple codes, via a four-character code which identifies the required codec for any given piece of media. This has enabled third parties to supply extensions for many codecs (not always with Microsoft's approval, but that's another story.)

A function of the early 1.0 implementation of OMA DRM, introduced into cell phones circa 2004. Forward lock simply prevents a user from forwarding (presumably DRM-protected and paid-for) content - it's locked into the phone. It got a bad rap when it turned out that some implementations prevented people from forwarding their own content, like personal photos.

Easily broken, by design intent. Usually such fragility serves a larger purpose which makes the overall system more reliable. For example, some smart cards are designed so that their internal components will break if anyone attempts to remove them from their housing- which is preferable to having an attacker discover sensitive private information or reverse-engineer the card's technical secrets. Similarly some types of watermarks are designed to be fragile i.e. to get "lost" from the data when it is converted from digital to analog and back. See also robust.

Fravia was one of the foremost underground experts on reverse engineering of PC software in the 1990s. His "Fravia's pages of reverse engineering" was a favorite haunt of both black hats and DRM system designers. The site contained many tutorials on how to crack security schemes such as TBYB functions in PC games. Reputedly a Dutchman, Fravia had a philosophical side and decided in the late 1990's shut down after concluding that his efforts were, on balance, being misused. All that is left now of his work is unreliable archives such as this one (link may be broken).

Political nickname for the Trusted Platform Module security chip, named after American Senator Fritz Hollings, a staunch political ally of the entertainment industry, who favored mandatory inclusion of such devices in Personal Computers. He sponsored a Senate Bill proposing such mandatory inclusion, which died in early 2003. Chips in the same spirit continued to evolve through various phases such as the Next Generation Secure Computing Base, and at one point it seemed Microsoft was seriously considering mandating them in PCs, but there is no longer any will to force mass deployment of them. Such chips are in fact fairly common in enterprise class PCs today, but there is no killer app using them, and there is no sign that consumers would ever want one.

G

1A software special case of Unique Identifier which is guaranteed to be unique world-wide. Often, such GUIDs are created on the fly, and in these cases their uniqueness is usually guaranteed by using unique local attributes available to software, such as network MAC addresses. Or sometimes they are generated randomly, with a sufficiently large size that collisions between different devices are extremely unlikely.

2Sometimes in the DRM domain, especially PlayReady DRM, a GUID is further specialized into a pre-defined "magic number" which specifies (usually in a content license) specific protections for an item of content. Such GUIDs are simply hard-to-understand shorthand for specific software control requests e.g. "turn on CGMS".

H

A person with both the skills and inclination to learn about - and possibly circumvent - various forms of security; for the purposes of this dictionary, that is computer security, including network security and DRM. The most famous hacker of all time, Kevin Mitnick, personifies the common confusions about hackers. Are they predominantly just curious or are they master criminals? For the purposes of this site, we avoid such debates and regard hackers as people with certain skills who aren't thereby good or bad. Those who choose to use their skills constructively are commonly referred to as white hats and those who go to the dark side are black hats.

The High-Definition Audio-Video Network Alliance, an industry consortium formed in 2005, promoting in-home media networking over FireWire with a standard remote UI. It had confusing overlap with the DLNA, never really caught on, and was dissolved in 2009.

Technology from Real Networks which allowed their media player to render content protected by DRM systems other than their own - i.e. interoperable DRM. Trouble is, none of the owners of those other DRM systems actually wanted to interoperate, so Real had to do it by reverse-engineering, raising a legal onslaught (e.g. on the basis of the DMCA). Today, to your scribe's knowledge, their technology no longer involves such "interoperability through hacking".

Video of high quality, usually with high-quality audio to match, such as is used in major Hollywood productions. Technically, High Definition is a somewhat vague and moving target. Currently, most people would consider 1080P video with 5.1 surround sound (Blu-Ray quality) to be HD, although 4K TV is coming up fast. From a DRM perspective, usually new technological protections (such as Media Path Protection 0 are added every time "High Definition" gets significantly higher.

The latest greatest video compression standard, which is a successor to H.264/MPEG-4 and uses only about half the bandwdth for video of equivalent quality. It is getting a lot of attention because such technology is needed to support the delivery of ever-higher-resolution video via OTT networks such as Netflix. A related driver is that there is no physical (e.g. Blu-Ray) disk format that supports 4K video currently, and although such formats are in development, sales of physical disks and disk players are plummeting and may be close to zero by the time 4K video is widespread. So Internet delivery may well become the dominant (or only) means of distribution of such video, and will require the most efficient codes imaginable.

A legacy media DRM technology from Real Networks. Real Networks was notable for trying to make their DRM interoperate with others (see Harmony), without much success. Helix evolved into more generalized streaming server technology and Realnetworks eventually discontinued the product line in 2014.

A content protection scheme for digital video links licensed by an Intel-Led consortium. The original (1.x) version is very wide use as the de-facto protection mechanism for consumer HDMI connections which are ubiquitous on HD TVs, Blu-Ray players. set-tops etc. There were some questionable choices made in the key management for the 1.0 version and a "master key" was leaked in 2010 which was, from a technical security pint of view, fatal to the spec. Certainly, HDCP no longer meets its original security intent - to prevent siphoning of unencrypted high-quality video signals - as there are commercial devices available which decrypt it. To be fair, the availability of such devices has more to do with the limitations of revocation than with key leaks. More recently a 2.x version of the specification emerged with better design and more features, such as one-to-many connections. It too fell victim to an attack - fortunately, by a friendly academic early in deployment, leading to a 2.2. version of the spec. It is not clear if it will be widely adopted.

A physical interface specification that takes the existing DVI digital video interface and adds multi-channel digital audio. HDMI has evolved through 1. x and 2.x versions in recent years and consumers have been stung by not having the right version of HDMI at both ends of a connection. The DRM connection is that HDMI supports the HDCP link protection scheme. As of this writing, most consumers are using HDMI 1.3 or 1.4 in their living rooms, mainly because the single physical connection is very convenient. The 2008 version 1.3 of the spec is described here.

The first popular video codec with breakthrough compression factors. It and similar efficient codecs are key enablers for services such as Netflix and are doing for video what MP3 did for music - scaring the hell out of media owners by making downloading movies a practical proposition. Otherwise known as MPEG-4 Part 10 or AVC, it offers video compression with a 60% reduction in bit rate compared with MPEG-2 for the same quality and resolution. Both H.264 and Microsoft's son-of-WMP9 VC-1 codec are listed as mandatory support codecs for Blu-Ray.

I

One of a crop of sites which tried to legitimize peer-to-peer by marrying it to DRM (at least for some content), and as far as your scribe knows, the only such site still in business. They actually survived an RIAA lawsuit in 2004; apparently, they have appeased content providers by blocking the transfer of copyrighted material through their network via the use of acoustic fingerprinting which recognizes such content. They claim to have "access to over 15 million songs and videos, all legal and free". It all smells a bit funny - for instance, other parts of the site make it clear that copyrighted songs are charged for and that Windows Media DRM is used for their subscription model, which is also charged for. Since the music most everyone wants is copyrighted anyway, the advantage of this over the likes of iTunes or Spotify is far from clear.

A process by which a media player device - typically a portable one which does not have a permanent network connection - acquires a license to play a particular piece of media using a second intermediary device such as a PC. The intermediary device might either create such a license itself, or engage in an Internet-based acquisition process on the portable player's behalf. In today's world, where virtually every relevant device has its own internet connection, ILA is relatively rare. Most media devices call home directly over the Internet ("Direct LIcense Acquisition", duh).

A European DRM technology company which was too far ahead of its time, specializing in eBooks and enterprise document markets a decade or more ago, a time during which eBooks were a wasteland. It's not clear exactly when they disappeared but their site is no more.

The leading third-party supplier of installation software for PCs, with which almost any PC user is familiar. The DRM connection is that they were bought by Macrovision in 2004. Presumably Macrovision saw possible synergy between installation and software DRM. It's not clear Macrovision ever did much about it, and they spun Installshield and other software technologies back out in 2008 as part of a larger private-equity deal.

The ownable fruit of someone's mental efforts. There are many forms of Intellectual Property, notably patents, trade secrets, copyrights, and trademarks. For the form that most affects DRM, see the entry on patents. Music and movies are IP too; see also licensing.

One of the earliest Internet "chat" programs, with roots going back to the 1980s. Through the 1990s and even now, IRC has been a favorite hangout for hackers of all stripes. IRC is better suited to their activities than the Web, because conversations are transient by nature and can be restricted to known parties. IRC is good place to gain insight into cracking activities, but it is generally true that cracks which never get outside IRC have little economic impact. For more, see their classic FAQ.

The ability of different types of computers, networks, operating systems, and applications to work together effectively, without prior communication, in order to exchange information in a useful and meaningful manner. DRM systems are not meaningfully interoperable, and since this situation has persisted for the decade or two during which your scribe has been watching, in spite of several earnest efforts to change it, it seems unlikely to change. Basically, it is not in the interests of the dominant and/or incumbent players in a space to interoperate with others. What has Apple to gain, for instance, by making iTunes interoperable?

There are some initiatives, such as Ultraviolet which may eventually lead to what looks like interoperability from a consumer's point of view - that is, the ability to access their paid content on any device. However Ultraviolet faces many challenges, not the least of which is (in line with the above observation) no participation from Apple and Disney.

At one time the largest of the pure DRM companies, with few products to speak of but a huge patent portfolio and a long history of suing DRM technology providers, including Microsoft.The company - which is to say the patents, was bought by Sony and Philips in November 2002. In 2004, Microsoft made a settlement of over $400 million to get out of court. Not coincidentally, that amount is a bit more than was paid for the company. They are still actively selling Marlin DRM technology.

The operating system used by Apple for portable devices such as the iPad and iPhone. Apple runs a vertical market where they manufacture or control the devices, the OS, and the OS update infrastructure, and key applications such as iTunes. They also control third-party applications closely by vetting every proposed application for their App Store to make sure it conforms to their policies, and doing the Code Signing themselves only on approved apps. There is no self-signing, unlike Android . An iOS device will only run apps signed in this way,unless it is Jailbroken. All of this plus a host of other measures mean that a non-jailbroken iOS device has an impressive overall level of security. More details can be found in Apple's iOS Security Guide

The best portable media player ever made and a compelling argument that even though DRM is inherently imperfect, good products can make intelligent use of DRM and thrive. They are brilliant and so is the integration of iTunes software with the iPod and the iTunes music store, and Apple's iCloud. Buying CDs now seems a quaint way to get music thanks to them and their many imitators. Success has made them a target: their FairPlay DRM is cracked with some regularity, and Microsoft tried to emulate their plug-and-play simplicity with the now-defunct PlaysForSure program and again with the ill-fated Zune.

A decade oafter their introduction, iPods are less common, but only because so many of us have iPhones with the iTunes media app built in - it is just the evolution of a brilliant ecosystem controlled by Apple.

TV delivered over the Internet Protocol - that is to say, in Internet-style packets as opposed to the fixed-bandwidth-per-channel approach traditionally used in broadcast and cable television systems. As originally envisaged around the turn of the millennium, it was largely a solution in search of a problem; for instance, phone companies hoped they would use it to deliver video over domestic twisted-pair phone-line (DSL) connections, which never really took off. The term is rarely used any more; though IP delivery is alive and well, it has morphed into video delivery over the public Internet, where it is usually referred to as Over-The-Top video.

A multi-national, Dutch-based media security company which started with Set-Top box security decades ago and has evolved and acquired its way (e.g. through the purchase of Cloakware) into a provider of security technology and solutions for online media. Full disclosure: your scribe has been working for Cloakware/ Irdeto since 2004, and is still an even-handed commentator on the DRM scene - I do this on my own time ;-)

Apple's highly successful debut in the legitimate on-line music business, which provided a benchmark for others to follow. Unlike many of its competitors iTunes focuses on selling music per-download rather than as a monthly subscription service. For the most part they don't even apply DRM to music any more as, for most people, the convenience of buying from them wins over searching dark corners of the Internet to save 99 cents.

J

A hack against the security of the iOS mobile operating system platform which defeats key platform security features, notably by removing the enforcement that only apps signed by Apple can be installed on the device. With this requirement removed, anyone can develop and/or install their own apps, including apps such as hacking tools or DRM circumvention tools which Apple would certainly not knowingly distribute. For this reason, a jailbroken device is often regarded by content providers and service operators as suspect, which could result in a policy response such as downgraded quality of service. In fact, many users jailbreak their devices for reasons having nothing to do with piracy e.g. customization or running their own apps. To be fair however, Apple has exemplary device security which benefits their users as well as content providers, and their closed ecosystem is a big part of that security, so many iOS users prefer not to jailbreak their devices.

Jailbreaking is a hot area of research where skilled attackers look at every new OS release and design a jailbreak mechanism which is often made easily and freely accessible to the public (e.g. "jailbreakme.com"). The most recent device/ OS combinations from Apple have resisted jailbreaking for several months, much longer than they did in the past, and often minor releases of the OS exist primarily to defeat a recently developed jailbreak.
Other OSes, notably Android, are also subject to this class of attack; on other devices it is referred to as rooting.

In most jurisdictions, notably including the USA, it has been established that is is legal to jailbreak devices.

Janus

Code name for DRM functionality introduced in Microsoft's Windows Media Player 10, which gave content providers more control of content in space and time. For instance, it enabled content to be revoked on time-based expiry even if the content was moved to secondary devices such as portable media players. Media producers like the idea, and it does enable an "all-you-can-eat" subscription model. These capabilities have been retained in the successor technology, PlayReady.

The popular programming language from Sun (now owned by Oracle). Actually, it's more than a language; running a Java program also requires a special environment - at a minimum, an interpreter that converts standard Java byte codes into the native instructions of the actual processor at hand. This gives Java excellent portability. Java has been fragmented and shaped by legal rivalry between Sun and Microsoft, and is not always found on Microsoft PCs, but is becoming a platform of choice for smaller devices such as cell-phones. In particular it is commonly used as the application development language for Android apps, although Android also supports native code development.

A standard for compressing digital still images, widely used on the World Wide Web. JPEG images on the Web are easily stolen, but since their value is limited few DRM technologies address Web images. Most JPEG image owners either ignore the issue or use watermarks in their images so that large-scale or commercial theft can be deterred.

One of the better-known security experts in the DRM technology arena. Kris has several books relating to either building copy-protection schemes, or cracking them. He has also built PC anti-copy schemes, but that is a very precarious living (see time to crack), so he has recently moved to the more promising anti-virus business.

One of the best-known second-generation peer-to-peer applications. Following in the footsteps of Napster, such systems were more decentralized and thus harder to effectively attack legally. Even so they got gradually sued into oblivion, and their site is no longer active.

In cryptography, a special piece of data which enables the creation/encoding and/or decoding of encrypted data. There are many kinds of keys and many kinds of cryptographic systems which use them. Most DRM systems make use of such keys. Sometimes the term is used imprecisely to refer to secret data such as software serial numbers, which are not keys in the above sense. (See also keygen.)

An audio CD anti-copy scheme from Sony's media manufacturing subsidiary Sony DADC. Its initial form was supposed to prevent playback on PCs altogether but was cracked with a magic marker. History since then has shown that consumers simply won't put up with such nonsense, and besides, no one puts technological protections on CD-quality audio anymore anyway.

The discovery of a cryptographic key left "lying around", by an adversary who can then use it to decrypt data that he is not supposed to see - or more generally, obtain content, functionality, or privileges to which he is not entitled. In a typical DRM application on an open platform such as a PC, software retrieves and uses a "key" which can be intercepted either as it is stored (e.g. on disk) or as it is read into the DRM application. Since, with strong cryptography, brute-force guessing of a key is virtually impossible, key discovery is a superior - and more often used - mode of attack. That's why key hiding is often a requirement of DRM Robustness Rules. Preventing key discovery by skilled adversaries in software implementations is extremely difficult and requires specialized technologies such as White Box cryptography from Irdeto.

The wildly popular eBook from Amazon which first appeared in 2007. It is based on a variant of the Android operating system and uses proprietary DRM associated with an Amazon-specific protected format for electronic books sold through their Web store.

Short for "key generator". Up until a few years ago, many shrink-wrapped CDs of PC software had a unique serial number on a piece of paper in the package, and required a valid serial number to install successfully. However, assuming that an off-line install was supported, local code in the install algorithmically determined the validity of the presented serial number. Such code was routinely reverse engineered to determine the valid serial number algorithm, and that knowledge was captured as a crack -in this case, a redistributable Keygen program. Indeed, in the trivial case, just using ONE valid serial number - which has perhaps been used and shared by thousands of others - in a replay attack would do the trick.

Keygens and serial number sharing are rare today as applications are using Internet connections, not just local code, to verify the validity and uniqueness of keys and licenses generally.

A special form of directed tax added to the purchase price of certain items. In many Western nations, blank recordable media such as CD-Rs are already subject to levies. In these cases the proceeds go to compensate the entertainment industry for revenue which, it is assumed, is lost to illegal duplication of copyrighted material using these media.

Levies are very controversial, in general being hated by consumers and liked by entertainment companies. Many consumers argue that the levies penalize legitimate uses of media such as computer system backups.

Another argument against levies is that content owners are trying to have their cake and eat it too. After all, if compensation for artists is built in to the cost of CDRs, that should making such copying legal, so who needs copy control?

Acquiring the right to legitimately use or re sell intellectual property. In the world of DRM, licensing is everything, at several levels.

First, of course, if you as a consumer don't have some sort of license for the content you're using, that makes you a content pirate.

The same goes for any on-line media source - the iTunes Music Store gives vast sums of money to the record labels to license the content they distribute.

Then of course there is the matter of licensing the technologies - DRM and otherwise - which are involved in encoding, delivering, and playing the media in question. A few companies - notably Intertrust, Microsoft, and Sony collectively own huge pools of DRM-related patents. It's hard to run a content Web Site - or design DRM technology -without the risk of infringing, or being accused of infringing, some of these patents.

All this means that creating an online media site with a critical mass of legitimately licensed content, using technology which is both user-friendly and not likely to attract lawsuits, is incredibly difficult. This is one of the reasons why legitimate online music distribution is restricted to a small number of large sites, most of which are part of larger DRM Ecosystems. Smaller players simply don't have the leverage and budgets required to license large amounts of content. It's also the main reason that such services take considerable time to expand outside the United States - licensing for other countries drags in a whole new team of lawyers, which is not justifiable until some success in domestic markets is demonstrated.

An initiative from the Fraunhofer Institute - generally regarded as the inventors of MP3 - to provide DRM that still allows fair use. It was apparently based on a forensic watermark which allows content to be traced but does not stop copying. The theory was that benign sharing (e.g. among family members) will continue unimpeded, but that users would hesitate to put such content traceable to them on, for example, peer-to-peer systems. Not a bad idea, but the system was technically complex and it never caught on.

Liquid Audio was arguably the first "vertical" Internet music company. Well before the turn of the millennium they only did Internet music, and they did all the parts of Internet music, from DRM to players to on-line distribution. They were the first to have PC music player technology which had DRM and was still slick and user-friendly. But Internet music didn't turn into a viable business soon enough, and time passed them by. They sold their patent portfolio to Microsoft in 2002, and paid out most of their remaining cash to stockholders in January 2003.

A media format for controlled eBooks from Microsoft. LIT was apparently an encrypted variant of the Open eBook standard, but it could only be read on Microsoft gear and seems to have disappeared in the Kindle era.

A Scotland-based DRM company which supplies technology to protect documents in various formats including PDFs and Web content such as online training. They seem to be aiming at small to medium sized organizations who wish to control their IP while still making their material easily available over the Internet, as opposed to mainstream commercial audio and video.

Lossless

Term of art used in the field of digital data compression, and particularly codecs. In a lossless system, binary data can be compressed, stored or transmitted, and uncompressed, and the end result will be a binary file that is identical, bit-for-bit, to the original. As a rule, compression schemes used for computer data - such as the Lempel-Zev algorithm used in WinZip, are lossless, because a computer file - especially a binary executable file - can be rendered useless by even a single bit error. An Intel CPU, unlike a human ear, is not the least bit forgiving. Audio and video codecs, on the other hand, are usually lossy - not because losing data per se is good, but because lossiness allows for much higher degrees of compression. 10x compression is typical of a lossy media codec whereas 2X is more typical of a lossless compression scheme. Clever design techniques such as perceptual coding are used to ensure that lossy codecs produce results that are of high enough quality for human consumption.

M

Machine Binding

Also known as Node Locking. Technology which limits the use of a particular item of software or digital media to one physical machine, e.g. one particular PC or smart-phone. Usually machine binding is done as part of the licensing process for that item of content. Most content owners like machine binding because it makes piracy more difficult. Unless it is done very carefully though, it can be a significant problem for users, who may have difficulty keeping their rights over time. In part, the difficulty arises from the fact that many consumer devices do not have reliable uniquely identifiable information built into the hardware (or if they do, it's not accessible - see UDID). As a result of this and of the requirement to be tamper resistant, most machine binding systems are ad-hoc, with behavior that can be difficult to predict through upgrades of devices, operating systems, and application software versions.

You have to love an on-line music service whose motto is "we are not evil" - a not-so-subtle jab at the RIAA, which is indeed considered evil by quite a few people due to a combination of immensely heavy-handed legal tactics and years of foot-dragging before supporting decent "legitimate" on-line services. Magnatunes is a genuine effort in the direction of direct distribution without DRM of any kind on an honor system - more precisely, using the licensing scheme from the Creative Commons. They use a subscription model and appear to be heavy with indie artists- or at least, at a glance, they had nobody your scribe has heard of. Nonetheless, an interesting experiment.

A DRM technology set from Intertrust. It is technically quite capable and was often ahead of its time technologically. However it's also incredibly complicated, and it has not been widely adopted. Most places where it has been adopted appear to either have had specific links with the Intertrust corporate family, or have had a particular (e.g. government inspired) anti-Microsoft predisposition which eliminated the obvious competition, PlayReady.

Protection technology which is supplemental to DRM schemes and is often required by content providers for premium (e.g. HD) content. For example, when playing HD content from a Blu-Ray disc on a PC, Media Path Protection means that the content is never in the clear at any point, even transiently in the PC's RAM, where it could be siphoned by an attacker. To do this typically involves hardware assist, maintaining some encryption on the content right up until it is passed to the video controller chipset.

(Also known as micropayment.) A spontaneous financial transaction for small goods or services, involving very small amounts of money, which can be conducted effortlessly between two parties. Ideally, such a system would work on-line in support of digital goods, would have negligible overhead so amounts of even less than 1 cent could be charged, and would require no prior set-up on the part of customers. While microtransactions have no direct relationship to DRM, microtransaction technology with these attributes would drive the online content business and thus indirectly support DRM. Indeed, some online content distributors have attempted to marry DRM-protected online distribution with their own micropayment schemes. We used to link to an example called "File-Cash" but they apparently died in 2004.

Unfortunately, in spite of many attempts, no commercially significant microtransaction technology has emerged, and there are arguments that this will not change soon, such as the paper The Case Against Micropayments (PDF) by Odlyzko. A Google search on the subject nowadays will yield mostly complaints about the "money" used in online games such as World of Warcraft. As for systems in general use, PayPal, as used on eBay, is about as close as we have come so far, especially since they now support payments of $2 or less. There are also cell-phone based alternatives such as FeliCa. See also Prepaid Cards.

A software tool that allows a developer to "hook" into the iOS operating system at a low technical level including system APIs. Like most such tools, it can only run on a jailbroken device. Unlike jailbreaking, which a lot of users do for benign reasons, the presence of mobile substrate on a device is a pretty good clue that the user, at worst, is stealing software and/or media or, at best, has downloaded a "jailbreak-only" app which makes use of the framework. Thus, apps which are concerned with security are likely to check for it; for instance Skype is rumored to downgrade their service in the presence of mobile substrate.

After-market add-on or replacement integrated circuit chips designed to defeat the hardware security measures in consumer electronics devices, notably middle-generation video game consoles such as the xBox. A typical mod chip was installed in parallel with the original BIOS chip so the user can selectively run either an original BIOS or a piracy-friendly one which allows the console to run copies produced with a computer's CD or DVD burner, or downloaded to a hard disk off the Internet. Technologically, such mod chips broke the "Chain of Trust" which was designed to ensure that only trusted code could operate on the system - and pirate game copies flunked the "trusted" test. Modern gaming consoles still use a similar chain of trust but are much more complex and mod chips are not typically used in attacking them.

MP3 is both an audio codec and an associated file format used for the storage and transmission of high-quality compressed music. Like the word "kleenex", the word MP3 has come to be used very generically - for example, only an engineer would bother correcting someone who called an Apple iPod an "MP3 Player", even though it actually uses a different (AAC) codec. MP3 is actually the "level 3 audio" part of the MPEG-1 Specification more commonly associated with video. Like most popular audio and video codecs in use today, MP3 achieves high compression by use of perceptual coding techniques. It was the powerful combination of MP3's fast downloads and Napster's easy file sharing that brought Internet music piracy and DRM into the spotlight in the late 1990s. MP3 has been superseded technically by newer codecs, and is not used for paid downloads because it does not inherently support DRM. In 2004, Fraunhofer tried to rehabilitate MP3 by applying DRM to it. But MP3 is the lowest-common-denominator digital format, and is only used today by those who want free pirate content, or value interoperability and ubiquitous hardware/software support over audiophile quality.

The Motion Picture Association of America. What the RIAA is to music, the MPAA is to movies. Which is to say, some will call them protectors of free enterprise and intellectual property, and some will call them evil monopolists. To be fair to them, the threats to the movie business in the current technology landscape (notably bittorrent) are worse than for audio - in that case workable legitimate Internet business models have emerged, but such models are not readily applicable to assets like movies which may have to recoup development costs of $100 million or more.

MPEG

The Moving Picture Experts Group is a working group of the ISO which has defined many standards for audio and video encoding. Their most widely deployed efforts are the MP3 audio codec, the MPEG-2 video encoding used in DVD video disks, and more recently MPEG-4.

The licensing authority for intellectual property portfolios managed by MPEG. The idea is great - a one-stop shop where content owners and infrastructure suppliers can get licenses for current media technologies, including DRM. Today they offer IP licensing for a number of technologies, but it has been a rough road, with their significant early initiative - a patent pool license for OMA DRM being widely rejected by cellular handset manufacturers. More recently they have put together a program to license technology for the HEVC codec, which appears to have reasonable commercial terms but is missing a couple of key contributors.

A PC-oriented online music service which never really got close to iTunes and has morphed over the years. They were acquired by Yahoo in 2004 and the site now redirects to music.yahoo.com. Sine Yahoo has made a deal with the hot streaming service Spotify, their site also sports a Spotify tab.

By some measures (notably longevity and tune selection), Musicnet was the most successful music download site on the Internet until 2005. That still left it in the shadow of iTunes. It was originally founded in 1999 as a defensive move by a consortium of music labels. In 2005 they lost the urge to be in the distribution business directly and
sold out to a venture capital firm, and the site has since disappeared.

A Canadian DRM technology company that tried to combine music protection and biometrics. The biometrics part evidently did not pan out, but the web site now redirects to another company, Yangaroo, which is apparently still in the music business in the back-office side e.g. distributing music and advertising to radio stations.

N

The program that started the peer-to-peer file-sharing craze. Invented in 1998, it went on-line in 1999 and had millions of users the same year. It also has its first lawsuits the same year, from many major record labels. It was mostly down-hill from there. The brand came back as a shadow of itself, a paid online music service, and later was acquired by
Rhapsody, presumably for the subscriber base. The URL still redirects to Rhapsody.

The original Napster architecture provided lessons to the creators of later P2P applications such as kazaa and Limewire, and even today its spirit lives on in bit torrents.

A developer of Digital Rights Management technology spun out from Nortel Networks in the late 1990s. They developed a robust, user-friendly Internet-based DRM system for Windows software and later video, but fell victim to the dot-com crash like many of their peers. (See disclaimer.)

The leading Over-The-Top consumer video service provider in the USA and other countries. They provide a variety of content on a large number of viewing devices, from tablets to PCs to smart TVs. Their service costs a lot less than traditional cable or satellite TV, but is missing a lot of the elements consumers get from the latter, such as live events. Even so, there is considerable debate about now much Netflix is contributing to the decline of the tradition pay TV business. There's certainly no doubt that they killed the traditional "Blockbuster" style retail video rental business.

One incarnation of Microsoft's security architecture for "Trusted Computing", which was known by the code name "Palladium" until 2003. It was slated for inclusion in the Vista operating system, but Microsoft backpedalled on that. It generated quite a bit of controversy and, although some of the bits survive today in Enterprise computers, it has pretty much died in the world of consumer computing.

Some perspective on the controversy part can be found in this 2003 Ross Anderson analysis.

No-CD Crack, No-DVD Crack

A specific class of Crack which modifies software designed to require the presence of original media in a drive, so that it can run exclusively from disk and the original media is not required. These schemes were common anti-piracy measures for PC games and were widely disliked for their sheer inconvenience, so such cracks were often used by people who have no desire to be pirates. If, for instance, you're traveling with a laptop with a 50 Gbyte drive and a game that takes 1 GByte, why would you tolerate the reduced battery life and inconvenience of using the physical media ? The same largely applies to video - many of us copy it, not because we want to steal it, but because we want to watch it from our hard drives and not carry the @#$% disks around. Although to be fair, software is rarely locked to media nowadays and Managed Copy technology provides an out in the video case.

One of the niftier early convergence devices, from Nokia, way back around 2005 when the whole idea of convergence seemed very nifty: a phone, MP3, and game console all in one. This system was the first to attempt commercial-scale DRM on a Java platform, the quick cracking of which confirmed suspicions that DRM and Java make a lousy combination. A decade later, every self-respecting smart-phone can do all this and more - but it's still not a good idea to do DRM in Java.

O

Obfuscation

The deliberate obscuring of something - typically, binary executable software code - which makes it harder for an attacker to reverse engineer and thus to crack. Obfuscation is usually an ad-hoc technique in a DRM developer's security arsenal, but there are companies, such as Irdeto, which have specific related expertise and products. Some technologists are critical of such "security through obscurity", but in fact, due to the limitations of cryptography, it is a necessary component of DRM on open systems such as PCs. See also tamper resistance.

The Open Source movement's proposed Rights Expression Language. ODRL is a W3C proposal for an XML-based rights-expression language, from Australian (then DRM, now automotive) technology provider IPR Systems. ODRL is free of licensing requirements, but with the exception of some penetration in the wireless market, it does not seem to have caught on - XRML won in the marketplace.

An open source project aimed at DRM for audio and video using the MPEG standards family, developed by Objectlab. Objectlab is an American East Coast consulting firm specializing in media, which has been involved in several high profile DRM initiatives. Your scribe comments elsewhere on the inherent contradictions of DRM and Open Source. The project still exists on SourceForge but there is little sign of life.

An initiative announced by Sun Microsystems in mid 2005 to develop open source DRM - further evidence, if any was needed, that Sun had lost it. There were already too many ways to do DRM, and the vast majority of Open Source supporters hate DRM in the first place. Worse, the Open Source licensing is no insurance against patent infringement claims. Such claims would have come hard and fast if the initiative took off, which it didn't - it's dead.

A consortium of the Wireless industry focused on standards and interworking, kind of a cellular equivalent to the W3C. OMA defined their own DRM, and was one of the predominant forces for multi-vendor, standards-based DRM, but due to a lack of promotion and IP concerns it is rarely seen today except in a trivial legacy form (OMA 1.0) in older cell phones.

Open Source

A collaborative software development philosophy which has produced a lot of widely-used code, notably the Linux operating system and, arguably, Android. Open source is based on the notion that anyone can gain access to the source code and modify it in any way, but they must (usually) return the modified code back to the open-source community, as captured in the applicable licensing schemes such as the GNU Public License. There are several variations of the open source license, and it's worth paying attention to which one applies to a particular piece of code you might be considering. SourceForge is one of the largest open source communities.

There are some requirements of DRM - such as obfuscation and tamper resistance, at least for PCs, which it is hard to see being implemented in a way that meets open source disclosure requirements. Note that the devil is in the details of the particular license; the BSD license, for example, does not require that modified code be returned to the public domain.

Open System

A computing system based on well-known (if de-facto) standards and subject to detailed internal analysis, extension, and modification by any suitably skilled person. The runaway success of the PC is largely due to the wide-open, multi vendor competition in software and hardware made possible by this openness. From a content protection point of view, this openness is problematic. It means there is no place to robustly "hide" data, whether it be controlled content, keys used to access such content, or what-have you. It also means there is a vast arsenal of reverse engineering tools and skills which can internally inspect and modify software, including defeating protection mechanisms. Today, Android is arguably an open mobile operating platform, iOS less so.

A supplier of electronic content services including Digital Rights Management, which specializes in the eBook industry, notably for libraries. Although they're apparently successful it's hard to tell how successful, since the company is privately held.

As the name implies, OverPeer was a kind of "overseer" of piracy-friendly P2P networks. It worked primarily for content providers who typically don't want their content on such networks, and was rumored to be primarily in the business of polluting P2P networks with junk to frustrate users and discourage use of P2P. Overpeer was shut down by owner Loudeye in late 2005.

Industry speak for delivering video to consumers over the public Internet. Usually, a variety of devices is supported, including iOS and Android mobile phones and tablets. Netflix is the best known example. OTT is in common use by many others as well, for instance, traditional TV service providers such as Comcast often provide it as a bonus to their traditional pay-TV subscribers to help persuade them not to jump to all-Internet alternatives.

P

A monopoly on the creation or sale of an invention granted through an institution such as the United States Patent and Trademark Office. In high-technology in general and DRM in particular, patents play a huge role. It is often impossible to build a specific class of product without infringing a patent and thus, either risking huge legal liabilities, or licensing the patent from its owner. Even standards-based products may encounter patent problems since it often occurs that companies contributing standards have patented underlying technologies. The largest patent collections in the DRM arena belong to Microsoft, ContentGuard (now Pendrell), and the Sony/Phillips consortium which bought Intertrust in 2002.

A company which does not produce products itself but instead nurtures a patent portfolio, waiting for other companies to infringe (or allegedly infringe) their patents, at which point they demand substantial licensing fees. A well-known case is that of NTP (which doesn't even have a Web site), which got settlements in nine figures from RIM. Opinions vary on what makes a troll - in the DRM space, both Contentguard and Intertrust are seen by some as trolls, though they (or their corporate ancestors) have provided some useful DRM technology as well as patents.

Unfortunately, it seems trolls are becoming more prevalent and by some measures more patent litigation is initiated by trolls than by companies which actually make anything.

A networked communications model wherein there is no "hierarchy" and substantially all of the participants have the same capabilities e.g. for both providing and obtaining content. When this model is applied to the public internet and the nodal software is freely available, it is an efficient, self-sustaining means of distributing digital content. Unfortunately, as the original Napster experience illustrated, the most popular application of such systems is piracy of copyrighted content such as music. Though the P2P incarnation of Napster is long dead, P2P continues through Napster descendants, notably BitTorrent. There have been various attempts to "legitimize" P2P, such as Snocap and iMesh; the latter is still around though it does not appear to be thriving. Any such efforts are hampered by a simple truth- for a consumer, if the content isn't free, a good commercial system such as the iTunes music store is way better than P2P.

The economic impact of P2P - i.e. the losses to industry as a result of decreased legitimate sales - are a subject of much debate. Unbiased analyses are hard to come by but this one for online music by Michael Geist, is pretty convincing in its conclusion that P2P's net impact for music was minor. It's doubtful whether similar logic applies to video, because the relatively high cost of watching movies makes getting a pirate copy - typically via a torrent - very tempting.

A consumer electronics device which replaces the magnetic tape of a video cassette recorder with a hard-disk drive, and analog recording with digital. These started out as relatively high-end stand-alone devices from pioneering companies such as Tivo, but now PVR capabilities are integrated as an application into related devices such as TV set-top boxes. Content providers are concerned about their potential for piracy, though that may be overblown; a more legitimate concern is that of advertisers, who worry about users habitually zapping through their ads without looking them.

A family of techniques for compactly encoding audio and video information which is based on experimentally determined limits of human perception. Almost all modern codecs (MP3, AAC, MPEG-4, HEVC etc.) use these techniques because of the high (10X or more) size compression they provide relative to raw formats such as PCM. The encoding takes advantage of such perceptual phenomena as "masking", where noise or a quiet sound in given frequency range is not detected by a listener in the presence of a louder sound in the same range. A good technical description of how this works for audio is provided in this article from Audio Design Line. Perceptual coding aims to eliminate any bits from the data stream which are not directly perceptible by the listener/viewer. In practice this raises a couple of issues:

Perception differs between individuals so a particular encoding (say, MP3 at 64 kilobits/sec) that satisfies one person may not satisfy another.

It is very difficult to design robust watermarks which will survive encoding in current or future perceptual codecs. After all, watermarks seek to add "imperceptible" data bits, which is exactly what perceptual codecs try to eliminate! This contradiction - or, rather, a clear lack of appreciation for it - was the main reason your humble scribe abandoned the SDMI when they became determined to solve the digital music piracy problem with watermarks.

An underground club of PC software cracking experts who produced cracks of admirable quality, which could often be found on usenet or ever-changing crack web sites. Your scribe has seen some which used user-friendly Windows menus to conveniently select from among many programs to be cracked. The crew was active round the turn of the millenium and quite capable of defeating schemes which might have been considered DRM for software, such as the conversion of a demo version of a game to a full version. They do not appear to be active under that name any more.

A security paradigm according to which the platform (e.g. Operating System and possibly hardware) protects software programs from attack, so that the programs do not need to protect themselves. The advantage of platform security is that is simplifies software development by eliminating security concerns for most developers. The disadvantage is that, once the platform security is cracked, it's game over for any programs which relied on the associated protections. Video game consoles use platform security and have a long history of such cracks, and some consoles have been effectively killed by widespread cracking, because game developers will not support a given platform if they feel they won't get paid for their efforts. The Symbian mobile operating system, which was arguably the most secure mobile operating platform, had a similar fatal hack (the "TRK" hack) in 2008.

In the real world of secure media applications, there is usually a combination of security at the application level and security at the platform or ecosystem level. Apple's iOS has an impressive level of platform security and, to a lesser extent, Android has similar features such as code signing.

One of two possible approaches to rendering digital content, and the one that is almost always used for media. The other is the executable model. In the player/asset model, the desired content is in the form of passive data, such as an encrypted video file, and it is rendered by a standard executable player program, such as Windows Media Player. The content does not know how to play itself, and typically uses standardized file formats and codecs. (From a technical point of view, it could serve the purposes of DRM to have a unique player for every piece of content, but this is not commercially practical.)

In this situation, the only way to protect the content is to encrypt it in such a way that only approved, DRM-aware player programs can decrypt and render it. This means that the security level of the media file is less than or equal to the security of the player, with key discovery or wedge attacks being common. In practice all audio and video content uses this model, which is one of the reasons that high security is more difficult to attain for these content types than for software.

PlaysForSure

A marketing/logo campaign from Microsoft which was designed to reassure consumers that they could buy portable media players from anywhere and (given the right logo), their Microsoft-format music will still "Play For Sure." This was in response to one of Apple's great strengths - namely, that if I buy a tune from the iTunes Music Store , download it using iTunes software, and synch it up with my iPod, there's only company (Apple) to blame if it doesn't work. Contrast this to a WMA transaction involving three separate companies for the store, the PC application, and the portable player, where finger-pointing scenarios could easily drive a consumer nuts.

It didn't work anyway. Microsoft's own Zune of 2006 didn't work with "PlaysForSure", and the logo was dropped in 2007 in favor of "Certified for Windows Vista". As other pundits pointed out at the time, that left us with the Zune and other devices both "Certified for Windows Vista" but not able to work with each other. What was the point of those logos again?

Microsoft's current DRM technology, introduced in 2007 as a successor to WMDRM-PD. PlayReady has some nifty capabilities, notably multi-device support via Domains, Over-The-Air (OTA) license acquisition, and arbitrary content encryption via envelopes. PlayReady also supports access to WMDRM version 10 content, providing a bridge to their legacy technology - something they didn't do with the Zune. Technically, PlayReady looks pretty good and has some of the same goodies as would-be competitor Marlin, but with less complexity. PlayReady appears to target the mobile space especially and is doing reasonably well in the DRM marketplace.

Playstation

Arguably the leading video-game console family in the world, manufactured by Sony. Software DRM - in this case, the art of preventing fraudulent copying of games - is essential to the game console business model, which makes a profit from games, not hardware sales. Some of the most fascinating cat-and-mouse games over the years of hackers vs. manufacturers have occurred with the Playstation family. At one point in 2010 the "epic Fail" team hacked the PS3 fatally (Youtube video) and Sony surprised everyone with a very ingenious "Epic Save" response which effectively forced an upgrade in order for consoles to be able to remain online.

PODs are industry-specific variants of smart cards which are used to support conditional access in satellite TV systems. Hacking these cards is a major underground industry, which by most estimates is larger, dollar-wise, than the corresponding legitimate industry.

Portable Document Format (PDF)

The de-facto multi-platform standard for viewing and printing electronic documents, created by Adobe. PDF and its associated reader software are ubiquitous, and Adobe has a plug-in framework that supports DRM.

One of several approaches to the problem of small online payments for digital goods. Considering that credit cards have high overhead and aren't possessed by kids, and microtransaction technology is missing in action, they are not a bad idea and are widely used by the likes of iTunes.

Pressplay

An early on-line music service bought by Roxio and rebranded as Napster (not the original Napster, of course).

Preview Systems

A defunct DRM and ESD technology supplier, which acquired much of its technology in a merger with Portland Software in the late 1990s. In turn, much of Preview's technology (notably Vbox and ZipLock) was bought on Preview's demise by Aladdin. Their founder re-emerged as CEO of Protexis.

The expectation that individuals should not be spied on, or have personal information inappropriately collected and/or shared. In the online world, privacy is a major issue. For example, many Internet users like to maintain their privacy by being anonymous, at least some of the time. But law enforcement agencies and copyright holders see anonymity as something which criminals can hide behind. Internet Service Providers are often caught in the middle, wishing to protect the privacy of their subscribers in the face of court orders to reveal the identities of suspected wrong-doers.

As for the law, there is no general-purpose federal privacy legislation in the USA, but the use of personal information in Canada is limited by PIPEDA.

A software DRM company based in Canada (apparently with help from the Canadian government), with notable alumni from Preview Systems, especially Preview CEO Karl Hirsch. It was acquired by Arvato, a division of Bertelsmann, in 2009, and seems to have largely disappeared since then.

A combination of hardware, software, policies, and procedures intended to foster the universal use of Public Key cryptography in commerce, industry, and government. The term was first widely promoted by Entrust, a Canadian-based company which spun out from Nortel in the mid 1990s. The cornerstone of PKI is certificate-based authentication of the entities involved in a transaction. When properly implemented such systems allow a large number of parties who do not know each other to engage in trusted transactions, commercial or otherwise.

PKI-like technologies are in widespread use in DRM systems today, though they rarely are referred to by that term. For the most part when people say PKI today, they are referring to specific commercial systems from vendors such as Entrust or Verisign.

Pulse Code Modulation (PCM)

One of the earliest and simplest kinds of codec for representing analog data such as music in digital form. In it, the amplitude of an analog signal is sampled at regular time intervals (in the "time domain") by an analog-to-digital converter, and the resulting digital amplitude values are stored in a raw form. For example, the Red Book format used in audio CDs linearly samples each of two channels at 44.1 kilohertz and represents each sample as a 16-bit number. PCM encoded data is too bulky for convenient Internet download and it took the development of more efficient perceptual codecs such as MP3 to make Internet music sharing a mainstream activity.

PUMA (Protected User Mode Audio)

Technology used by Windows Vista to ensure that audio output driver chains are "trusted" to handle protected media content. This was done by Secure Audio Path in previous Windows operating systems.

Puretracks

The first "legitimate" music download site for Canadians, started in 2003. It used Windows Media Player technology and DRM. I tried it at the time and it was OK - it was quite painless and I paid the princely sum of $2.28 (Canadian, including tax, on a credit card !) for a couple of tracks I wanted. It was still no match for iTunes though, and shut down in 2013..

PVP-OPM

"Protected Video Path - Output Protection Management", a software system designed to take the concepts of COPP further in Windows Vista.

Q

Quality of Service (QoS)

The capability to provide guaranteed sustained performance characteristics - notably, bandwidth and latency - for a connection over a packet-switched network. When the network is the public Internet - i.e. for the vast majority of consumers - end-to-end QoS capabilities are not available. In earlier years when multimegabit domestic internet was uncommon (as indeed it still is in some parts of the wordl), this lack of QoS made it hard to provide a high-quality streaming experience for consumers, especially for video.
Netflix would not have been viable in 1999; that it is viable today is because of increased bandwidth, better codecs, and better delivery strategies, because there is still no QoS on the public Internet.

R

Rainbow Technologies

A multinational software security company notable for being an early entrant in software DRM. Like Aladdin, their roots were in dongel-based security i.e. usage control for high-value software applications on PCs. They diversified considerably after the turn of the millennium and were bought by SafeNet in 2003.

Favorable licensing terms sometimes offered by owners of technological Intellectual Property - usually patents - so that other companies may build products that incorporate their technology. Typically, this is done in a situation where the intellectual property covers part of an industry standard. The idea is to compromise between, on the one hand, killing the standard by unreasonable license demands, or, on the other hand, simply giving the technology away as per the Royalty Free model. The spirit of RAND is to charge small licensing fees and to not deny licenses to anyone, including competitors. The interplay between patents and standards is controversial, with patent policy being a key differentiator between different standards bodies.

RAND is not specific to DRM, but it does affect DRM. Any company designing a DRM system may find that they need a technology license from a patent holder such as ContentGuard or Intertrust - and if that license is not available on reasonable terms, it could kill their business.

RealPlayer

The media player application from Real Networks. It was never any threat to iTunes or Windows Media Player, Real's apparent strategy is to offer de facto interoperability - to support more platforms and more media formats than competitors.

At one point they achieved interoperability with other systems, notably iTunes, through reverse-engineering, not technology licensing. This caused serious DMCA issues and is no longer supported.

A DRM provider which died in 2001 while trying to provide an unusual multivendor DRM service model. It was reborn as a subsidiary of Overdrive in 2003.

Red Book Audio

The standard for the logical and physical layout of audio CDs, originally proposed by Sony and Phillips, evolved from earlieer "yellow" and "orange" book standards. The Red Book format was defined long before powerful PCs and digital piracy became commonplace, and so did not include any DRM capability. Given this, and the huge backward-compatibility constraints of deployed consumer electronics, it was difficult, if not impossible, to technologically protect Red Book audio from piracy. Some companies, such as Sunncomm and key2audio, tried anyway, all they did was cause a significant backlash, as exemplified by this button from the UK Campaign for Digital Rights lobby group:
Of course today CD sales are way down and no-one bothers applying technological protection to CD-quality audio anyway.

Formerly known as Mediaport or MusicATM, their core product is a kiosk that dispenses media on-demand to thumb drives at the point of consumption, such as a university residence or corner store. This idea has been around for ages... a company called Digital on Demand tried it in the ancient days of SDMI. It seems the kiosks as a general retail strategy have not caught on, probably because torrents and 99 cent downloads can provide most of the same material much more easily. But the company is forging on, using the kiosks at specailized locations and events, and selling rebrandable "white-box" media technology for other media distributors.

Replay Attack

An attack against a digital security system which "replays" captured information - typically, a digital credential of some kind - in an attempt to coerce the receiving system into giving the attacker whatever resources were associated with the original, presumably legitimate and successful, presentation of the information. For example, a Web user who pays for a PDF document and is then relayed to a download page might capture the download URL from his browser screen and present it again - or email it to a friend - to get another copy of the document. If necessary, a system can be made resistant to replay attacks by making credentials different every time and/or robustly embedding client-related information in the credential. See also spoofing.

Renewability

A feature of a networked security system than lets compromised components - such as cracked cryptographic keys - be replaced selectively without having to replace other parts of the system, redeploy content etc.

Reverse Engineering

Analyzing a product to determine how it functions. In the security and DRM worlds, reverse-engineering is used by researchers, competing DRM technology providers, and hackers, to determine how protection mechanisms work. For Black Hat hackers, successful reverse-engineering is often followed by producing and distributing a Crack or exploit. Those who engage in this activity are often very skilled, as exemplified by this (now outdated) Windows Media Player analysis. In the United States, reverse-engineering of content protection technology is to large extent outlawed by the Digital Millennium Copyright Act.

In security systems in general and DRM systems in particular, it is useful to be able to "revoke" i.e. take away, some previously granted credential or right. "Revocability" is the term applied to systems which have this feature designed in. SSL certificates, for example, are subject to revocation to deal with fraudulent behavior on Web sites. For mass-market DRM revocation is controversial, because consumers do not like having capability they once had being "taken away" even if, say, that capability was only useful for pirated files. In reality, a lot of software already supports revocation through a combination of on-line updates and EULAs which give vendors such as Microsoft the right to alter the behavior of, say, Windows Media Player. In practice, consumers don't mind or notice as long as there is renewability to help after the revocation.

There are also technological and business challenges with revocation. Even ignoring adverse consumer reaction, it turns out that it is a very hard problem to keep track of millions of pieces of consumer equipment, figure out which ones are compromised or highly likely to be compromised, and and revoke only those devices. The DTCP revocation scheme, for example, has no notion of product "families" but can only track and revoke individual devices, rendering it practically unusable. Similarly, HDCP keys are theoretically revokable, but in practice specfic keys have been built into chip sets used by both legitimate Consumer Electronics devices and by devices built for stealing content. Since you can't revoke one class of devices without revoking the other, usually no revocation happens. The Blu-Ray key management system is arguably the most sophisticated, with the abilty to revoke at various levels, right from entire classes of devices to a single specific device, and even then revocation is rarely used. This highlights the business complication of revocation: it is typically device manufacturers who have the burden of supporting revocation and facing the resulting wrath of customers with suddenly-useless devices, while it is content providers that benefit from revocation, not the manufacturers.

RFID

Radio Frequency IDentifier. A ubiquitous technology of small, low-cost, passive physical tags containing UIDs which can be read at a distance. They are typically used to track store inventory and would have nothing to do with DRM except that a truly silly proposal was put forward to add RFID to DVD in the name of DRM.

An on-line music service which was bought by Real Networks in April 2003 and managed to survive long enough to spin back out as an independent in 2010. Your scribe has no direct experience with this service, but it looks reasonable - a combination of paid, DRM-free downloads and a DRMed music streaming service which supports PCs and popular mobile platforms.

RIAA

The Recording Industry Association of America, the powerful voice of major music studios. Their concerns about being ripped off on the Internet were and are legitimate, but they are considered to be in league with Satan by the youthful Peer-to-Peer downloading crowd, whom they famously have a history of suing on an individual basis. They are also expert - far more so than Silicon Valley - at influencing Washington.

Rights Data Dictionary (RDD)

To quote MPEG: "..a set of clear, consistent, structured, integrated and uniquely identified Terms to support (the MPEG-21) Rights Expression Language." A Rights Data Dictionary defines standard semantics so that a Rights Expression Language can use a term (say, "license") without having multiple interpretations of the term confuse developers and users. Nice idea, especially if you want interoperability - but unfortunately none of the big players do, so the term is rarely heard these days.

Rights Expression Language

A machine-readable - and usually somewhat human-readable - language for expressing what rights are available and/or have been obtained for certain items of content and certain users. For instance, that a particular movie can be played on a specific device three times, or watched anytime before July 1.The dominant one today is XRML.

robust

Not easily broken. In a DRM context, robustness usually refers to the ability of a security mechanism to continue to function even under attack. For example, a robust watermark is designed to remain detectable and unaltered even if the media file that contains it is subject to manipulation such as digital to analog conversion. Of course everyone wants overall systems to be robust - but it is worth noting that sometimes the overall system is served well by having certain components which are fragile. See also Robustness Rules.

Robustness Rules

A set of rules that an implementer (which is usually to say, licensee) of DRM technology such as PlayReady must meet in order to demonstrate a defensible level of resistance to cracking attacks. In addition to being crack resistant, the implementation must also handle content in the proper way, which is usually specified by a "sister" set of Compliance Rules. Robustness rules vary from one system to another and are only sometimes public. There are, however, usually common elements such as anti-tamper, key hiding etc. Some infrastructure providers, such as Irdeto, specialize in helping developers or service operators meet such requirements.

rooting

Historically, "rooting" refers to an attacker "gaining root" on an OS which has multiple privilege levels, of which "root" is the highest. Absent extraodinary suecurity technology on the device, a user with root access can effectively do anything they want on the device. More recently, rooting usually refers to a hack against the security of a mobile operating system such as Android.

A set of software tools designed to conceal functionality in a computer and more particularly to give a third party secret control ("Root privileges", based on Unix terminology) of that computer. Which has little to do with DRM, except that in 2005 Sony was accused of stealthily installing a rootkit on PCs from audio CDs using MediaMax DRM anti-copy technology.

Technically, this was not quite right - the software in question was not a true rootkit - but it was a public relations disaster for Sony. Bruce Schneier described the incident, as it was still unfolding, here.

An insightful analysis by Ed Felten (PDF) argues convincingly that, while the label "rootkit" may be unjustified in this case, the very nature of Audio CD anti-copy required the use of sneaky techniques otherwise found mostly in spyware. CD anti-copy is long abandoned as of 2013..

Formerly Macrovision, an American company which made a ton of money from analog TV anti-copy technology. It didn't hurt that their technology was literally legislated into the market by the U.S. government. Such technology is irrelevant today, with a few exceptions such as the digital version of CGMS. They went through a number of acquisitions and divestitures over the last decade and seem now to be focused mainly on the operator (e.g. cable/satellite TV) business.

Royalty Free (RF)

Unrestricted licensing terms sometimes offered by owners of a patent or other Intellectual Property (IP) so that other companies may freely build products that incorporate their IP. Usually, this is done in a situation where the patents cover part of an industry standard. The other option in a standards situation is the RAND model. The interplay between patents and standards is controversial, as many promising standards - DRM-related or not - have been derailed by surprise declarations of IP ownership part-way through the process. IP licensing policy (i.e. RF vs. RAND) is a key differentiator between different standards bodies.

RSA

One of the first and best known asymmetric cryptography algorithms, named after its inventors (Ron Rivest, Adi Shamir, and Leonard Adleman). The RSA algorithm relies on the fact that it is MUCH easier to create an extremely large number by multiplying two large prime factors together, than it is to analyze such an extremely large number to figure what its factors are. RSA was patented but its patents expired years ago. RSA is used in some DRM systems (though ECC crypto is more common in DRM for performance reasons) and also as part of the TLS Web security protocol.

S

SafeCast

An obsolete (and pretty nasty) PC software protection scheme from Macrovision, based on technology acquired with the purchase of c-dilla in the UK.

A simple form of computer program used to automate everyday tasks. Typically scripts take the form of a few lines of human-readable commands and are runnable from a command line (e.g. a Unix shell script.) If the task being automated is a malicious network attack, then the script becomes an exploit, which may be widely used by script kiddies.

A malicious but not necessarily highly skilled hacker who runs exploit scripts produced by others in order to do damage. A well known example is that of MafiaBoy, a 15-year old who used exploits to perform a major "Distributed Denial of Service" attack which brought many Web sites, including CNN, to their knees.

Secret Key Cryptography

See symmetric cryptography. Note particularly that a secret key is NOT the same as a "Private key", which is one part of a key pair used in asymmetric cryptography.

Secure Audio Path (SAP)

Legacy audio technology from Microsoft, probably inspired by SDMI, to prevent the installation of "insecure" drivers which might be wedge programs designed to steal audio content during playback on PCs. It also eliminated the presence of high-quality cleartext audio inside the PC except for a final trusted output driver. Deployed starting with Windows Millennium and Windows XP, it was common but not pervasive in consumer PCs. SAP was superseded by PUMA in Windows Vista.

Secure Digital Card (SD Card)

A trade-secret, licensable standard for flash memory cards intended for consumer applications such as portable music players. Originally developed by SanDisk, Matsushita and Toshiba, SD cards are postage-stamp sized and store dozens of GBytes at this writing. They are now promoted by the widely supported SD Association. Their security features are not all public, but they include CPRM and are rumored to be elementary e.g. a passive on-card Globally Unique Identifier. There have been several attempts to use them as distribution media for protected content such as movies, but none of them seem to have come to commercial fruition.

Secure Digital Input/Output (SDIO)

A specification that enables the SD Card interface on consumer devices to serve as a general secure I/O port. As for the original SD card, the specification is private and accessible only to members of the SD Association.

Secure Digital Music Initiative

A testimony to how profoundly most record executives misjudged the digital revolution in the late 1990s. A multi-industry consortium about DRM for on-line music, started by the Recording Industry Association of America in 1999. Participants were from music labels, the computing industry, DRM providers, and the consumer electronics industry. Unfortunately, the RIAA seemed to be obsessed with uncrackable copy protection. The resulting desperation - or technical ignorance, or both- led them down a path of designating watermark based protections, which were fatally cracked once exposed to outside scrutiny. Your humble scribe participated in SDMI and has more comment here. Long dead.

Secure Loader

A technology which encrypts or otherwise obfuscates executable software files so as to resist Static Analysis. For more on this see Wrapper .

Secure Video Processor

A legacy standard for video security incorporating both hardware and software. The sponsors were mostly European TV-delivery companies, with few computing heavyweights and no sign of Apple or Microsoft. Not surprisingly, it didn't catch on.

Serial Copy Management System (SCMS)

A system for controlling the copying of digital media by the use of permission flags (copy once, copy all, copy never) which goes way back to Digital Audio Tape (DAT) recorders and mini-disc recorders. SCMS was the result of Hollywood paranoia about the perfect quality of digital recordings and the attendant possibility of these devices being used for high-quality piracy. The deal was that in order for pre-recorded content to be made available (which was considered essential to the commercial success of the DAT format), Hollywood needed this concession from manufacturers. They got it, and no doubt that contributed to DAT being a flop. SCMS is rarely spoken of today. SCMS data can also be present on Red Book audio CDs, but this is of no consequence as the data is only visible over "spdif" digital outputs, which practically no one uses. Nonetheless, the concepts live on in other related areas; see for example the broadcast flag.

Shim

A software-based attack designed to capture protected content in an unprotected form, as it goes by "in the clear" in the process of transport or playback. In the software media world, a typical shim is a rogue device driver which "wedges" itself into the path between media player software drivers and the video chip to intercept video and thus Siphons the video. The appeal of a shim attack is that it completely side-steps the encryption and other security technology: the DRM system does the decryption work, and the hacker only steals the result. The only ways to prevent shim attacks are either to have hardware decryption on peripheral cards with no cleartext present in software, or to established an unbroken chain of "trusted" software, and prevent users from installing untrusted drivers which could be shim programs. Secure Audio Path from Microsoft was a scheme to do the latter.

Note that in the mobile device world, ready-made shimming capability is easily available through rogue utilities such as mobile substrate

A long-gone but interesting watermark-based approach to DRM from a subsidiary of Sony. In their "denial DRM" vision, watermarks did not prevent playback of the media. However unlike most watermarks, these were obtrusively visible and/or audible. The idea was that they were obtrusive enough to prevent sustained content enjoyment and fraudulent redistribution, but not so obtrusive as to prevent evaluation of the content by a potential purchaser. Removing the marks to convert the content to an unimpaired version required secret key knowledge and could presumably be done on a user's PC.

Sink

The receiving end of a point-to-point link streaming protocol such as DTCP or WMDRM-ND.

Siphon Attack

An attack against a media player (be it hardware or software) which obtains an unprotected copy of an initially DRM-protected video by "Siphoning" it, frame-by-frame, from an internal point such as a memory buffer or a graphics chip. An API could also be thus attacked using a shim. Recording from an analog output could also be considered siphoning, but this does not produce a good result and is not preventable anyway.
Siphoning is not the attack of choice in most situations, since it requires the attacker to actually have legitimate credentials (e.g. a PlayReady DRM license for the content), it is usually only real-time (i.e. a 2 hour movie takes 2 hours to siphon), and often the form in which the video can be siphoned requires further manual work such as re-encoding. Higher-level attacks such as Key Discovery are preferred.

The main area where siphoning is a potential business problem is when it serves as the point of origin for real-time internet rebroadcasts of high-value content such as live sports. For situations where content provider are especially concerned about content theft, they may require that siphoning be prevented by Media Path Protection.

Smart Cards

Tamper-proof security microprocessors in standardized, typically credit-card-sized packages, used for various applications such as public transit, pay TV, and automatic road toll collection. Smart cards are the still the cornerstone of security for most traditional Conditional Access pay TV systems. In this scenario, set-top- boxes have a slot for a replaceable smart card which embodies core security functions, and that card can be remotely updated or, worst case, replaced altogether, to respond to security breaches. The SmartRight consortium tried and failed a few years ago to promote smart-card-for consumer DRM throughout the home. Operators are not wild about smart cards because the effort and cost required to replace them throughout an operators network are substantial. In some domains smart-cards are being superseded by software implememtations such as Irdeto's Cloaked Conditional Access (CCA), which are inherently renewable and eliminate the need to replace physical cards to maintain security..

Social Engineering

A favorite trick of black hats: getting around a security barrier by fooling a human being into helping you do so, such as by cold-calling a stranger within the target organization and deceiving him into providing a crucial password. Kevin Mitnick, a master at such things, pointed out that social engineering, when it works, is vastly easier than highly skilled and laborious approaches such as reverse engineering.

Over the years several companies with confusingly similar variations on this name have come and gone. Soft-lock used to provide anti-copy for software CD-ROMs. Softlok provides dongel based protection for software. Softlock had 15 minutes of fame when it protected a electronic Stephen King story in 1999, but never made any money. They since changed names to DigitalGoods, and apparently went under.

A UK-based DRM technology company which had products for protecting both software and music. At one point many years ago they ganed some notoriety by supplying DRM technology to P2P provider Grokster. More reccently they focused on DRM for the game market, a very tricky field, and they ceased operation in 2013.

The human-readable form in which software is originally developed i.e. in languages such as C++. With respect to DRM, source is connected to two issues:

For DRM technology, whether, in order to apply DRM protection to a given software program, the developer has to modify source code or not, and

for the Open Source movement. Most open source advocates argue that there cannot be DRM in an open-source system since, by definition, the code that implements the DRM must be visible and - by implication- removable in the freely distributed source. (Though not all open source licenses require all modifications to be returned to the public domain.)

Space Shifting

Moving of a digital asset - such as an MP3 song - from one platform to another, such as from a PC to a portable player. Such moves are usually simple copying operations which most people consider to be fair use. However, exactly the same copies could be used for fraudulent redistribution, so some copy protection proponents see this as a security gap which they try to close with check in / check out capability. See also time shifting.

Spoofing

Pretending to be someone - or something - that you are not, in order to fool a system into giving you resources that you would not otherwise be entitled to, or to mislead an adversary. The use of someone else's password on a for-pay Web site is a trivial example. The cloning of a legitimate Set-Top Box to fool a Pay TV network into providing phone service for free is a less trivial example.

The leading consumer streaming music service. They have both free and premium models and are notable for their huge selection of music. They have a legitimate business model which involves paying royalties to record labels, though royalty rates themselves are the subject of debate. Since it's a streaming service, users need to have an active Internet connection to listen, but in a world of ubiquitous Internet access that is not too much of a barrier. The service uses DRM to prevent the recording of the streamed music but it appears that there are well known methods of recording it for later local playback even so.

Spyware

Software installed on a users computer - without the user's constructive consent and usually without even her knowledge - which "spies" on the user or otherwise is considered to invade user privacy. Typically, spyware covertly "calls home" over the Internet to report its findings. Often spyware is deployed by adding "extra" functionality in freely available software downloads, or by exploiting well-known operating system security holes. While spyware has nothing to do with DRM as such, it has become associated with online content due to questionable judgments on the part of companies such as Real Networks, which have a history of "calling home" and sharing information on what users are doing without their knowledge or consent. Microsoft and others have raised suspicions as well, through disturbing language in their EULAs. It falls to online content businesses and media player manufacturers therefore, to legitimately reassure their customers they will not be spied upon when using their software.

Static Analysis

A family of software reverse-engineering techniques which rely on direct examination of the software in question in its distributed form, without necessarily even running the software. In trivial cases a hacker can accomplish a static attack by understanding and changing a program with a hex editor. More likely, he would use tools like the IDA Pro disassembler to understand the instruction flow of the program and to isolate and attack parts of the program of particular interest. In general, any software which needs to resist attack should use basic countermeasures to static analysis, such as a Secure Loader.

Arguably the 800-pund gorilla of distribution and software protection on PCs, from game publisher Valve : a system which provides online delivery, updates, and mandatory registration. This paradigm makes possible the combination of verifiable global UIDS with regular security updates to stay abreast of hacker's efforts. It caused something of a backlash in the gaming community when applied to the mega-hit Half-Life 2 in 2004, partly because people resented paying big bucks for a CD and then watching the whole thing be replaced by a gigantic download, and partly because gamers hate really robust copy protection. However it also took the time to crack from days to months, and didn't stop the game from being a mega-hit which made Valve a bazillion dollars.

The hiding of an invisible message within a visible message, and the subsequent extraction of that invisible message. Since the secret message is usually not even detectable, an interloper probably wouldn't even know where to look for it, let alone how to interpret it. If the ordinary message is a media file such as a JPEG image, or an analog signal such as music, this is referred to as Watermarking.

sterile

A copy that can't be copied - the digital equivalent of a mule. Sony, for instance, proposed the idea of sterile CD copies as a way of providing personal-use copies of audio CDs while still preventing privacy. This, like all such CD schemes, was harebrained. Nobody is worried about CD copying anymore anyway, and a less harebrained scheme ( Digital Copy) emerged later for DVD and Blu-Ray video.

A class of cryptographic algorithm which encrypts and decrypts each bit (practically speaking, each byte) independently, so that decrypting one byte can be done without knowing the values of neighboring bytes. RC4 is the best known example. Stream ciphers are less secure than block-oriented ciphers such as AES, but they support random access to media files better and are less compute-intensive, so they were been widely used for content encryption in early DRM systems. Block-oriented ciphers need larger chunks (typically around 16 bytes) of data to work with, so it's harder for them to jump to an arbitrary point in a media file and decrypt on the fly; they are also slower. However block ciphers can be implemented so as to support random access, and as the compute power of even inexpensive consumer electronics has improved, the 128-bit AES block cipher has become the current favorite for content encryption.

streaming

A client/server paradigm in which content is resident on a server, and the client machine renders the content without having complete or permanent copies of it locally. There are three distinct streaming technologies, which each have their own detailed entry here.

In the enterprise, Thin Client technologies - which might not be considered streaming in the strict sense - simplify desktop management by having many software applications run remotely (e.g. through a Web browser).

Streaming Media can be used to view content anytime, on any device, given sufficient connectivity.

Streaming software tries to replicate the values of streaming media but with software applications rather than audio or video.

Streaming Media

Technology for rendering audio or video from a remote source over an IP connection, without persistent local storage on the rendering device. There are local point-to-point streaming technologies used within our homes, such as DTCP or WMDRM-ND. But for the most part streaming media is pulled over the public Internet to phones, tables, computers, and smart TVs. For more on this model as it applies to video see Over-The-Top.

Streaming Software

Similarly to streaming media, streaming software aims to provide internet-connected consumers with content that is stored only transiently on their PCs. Unlike streaming media, streaming software has never really caught on, though there are some signs it might be coming back. A few years ago Internet Service Providers were big fans of residential software streaming, because they saw in it a new revenue source - renting application software which is otherwise sold by others. But the technology constraints make software streaming a hard sell. Whereas a media player app can begin presenting media after only a few seconds of buffering, executable programs cannot be run at all until a substantial proportion of their code and data has been received. This is slow. As a result, most streaming offerings were consumer-oriented and heavy with low-end "edutainment" or end-of-life games. IntoNetworks (formerly Arepa), Mediastation, and Exent were a few of the technology companies which died while trying to create a residential broadband streaming software market.

Interestingly, the technology from one of those companies, called Streamtheory, seems to have evolved and grown - through two intermediate incarnations and a recent acquisition by
Numecent - into something that might actually work. Of course, even if it works brilliantly, they face the challenge of convincing the owners of software to license it through them - which will likely be challenging due to perceived Channel Conflict, as well as the the necessity of effective piracy protection.

Subscriber Information Module (SIM)

A specialized smart card used to store subscriber information in GSM cell-phones. In GSM, it is the SIM, not the phone itself, which is associated with a subscriber.

Subscription

A business model where a consumer gets access to content, not by buying it per piece, but by paying continuously for virtually unlimited access to a very large collection of content. There are both technical and commercial obstacles to implementing such a service. The commercial ones are probably harder, since traditional content providers simply are not structured to support such models. As a result, subscriptions to media content today are mostly either for streaming music (such as Spotify), or for streaming of less than first-run video (such as Netflix).

sunncomm

A long-gone provider of Audio CD anti-copy technology. Not only was their technology a failure on common-sense grounds, it also generated a huge public backlash. A not-totally-objective history from the Register can be found here.

Super Audio CD (SACD)

Similar to competitor DVD Audio, a variation of the DVD format which provides high-quality digital multichannel audio. Invented by Sony, it does not interwork with DVD-Audio, although players are available which play both formats. SACD and DVD-Audio both have great sound quality but neither ever caught on in the marketplace. SACD does have built-in copy protection which has no known cracks.

This raises the interesting question of whether copy protection can be too good. SACD's relative failure may be partly due to high costs and a smaller player base, but the fact that consumers cannot copy them is certainly a negative as well.

superdistribution

The willfully uncontrolled distribution of digital goods which generate revenue based on controlling their use, not controlling copying. The first good description of this vision was in the book Superdistribution by Brad Cox in 1996. Today's peer-to-peer systems get the uncontrolled-copying part right, but by leaving out the controlled-usage part, they are seen primarily as agents of piracy. Superdistribution is still a powerful idea but it is technically difficult to do in a way which is both user-friendly and secure, and despite a few experiments in the space, its potential has yet to be widely realized.

Symbian

An operating system for high-end cell phones from Nokia. Symbian version 9 had arguably the best Platform Security ever seen in the mobile space - but it was still fatally hacked in 2008. Any readers who have not been under a rock in the intervening years will know Nokia is not doing well these days - though, to be fair, it was probably due to more to overwhelming competition and questionable alliances than to security problems.

Symmetric Cryptography

Also known as "secret key" cryptography. A family of cryptographic techniques where the same key is used to both encrypt and decrypt messages. Almost all cryptography was of this type until the discovery of asymmetric techniques in the 1970s. It is still the commonest type of cryptography, implemented via well-known standards such as AES. The biggest weakness of this type of cryptography is in key management: maintaining secrecy of the shared key is difficult, and a community of "N" users who all needed to communicate with each other would require about N squared keys, which is impractical. Anyone who can read a message can also another message pretending to be the originator of the first message. Its biggest strength is that it is relatively efficient and so can be practically implemented even on low-cost portable devices, without causing unacceptable processing overhead. In practice most secure systems today rely on some combination of symmetric and asymmetric cryptography. For DRM, typically asymmetric crypto is used for authentication and license management and symmetric crypto is used for content decryption.

A Copy Protection system for PC software distributed on CD-ROM or DVD-ROM. It relies on breaking the rules for formatting these disks in such a way that most duplicating programs cannot make perfect duplicates, in conjunction with software that checks for the evidence of such imperfect duplication. Like everyone else in this space, their security has been periodically cracked, (see time to crack), and there is no sign that have protected any major titles recently. Indeed, physical distribution of games is rare today and Steam seems to be the new king of both distribution and protection for PC games.

An order from a copyright holder, as supported by the DMCA in the United States, to a second party allegedly hosting copyright-infringing material, to "take down" that material. Typically the recipient is an ISP, search engine, or individual hosting copyrighted material e.g as made available on a Bit Torrent. This reflects the "bargain" implicit in the DMCA for relatively "passive" parties such as as ISPs. They have argued, rightly, that they cannot know everything that all their users post, and so should not be liable for all the for the nasty stuff among all that content. Under the DMCA however, their (lack of) liability depends on them responding swiftly when they receive such a takedown notice.

Takedowns serve a legitimate purpose - you can hardly blame Hollywood for stopping pirate distribution of their latest movies, for instance- but there are reasonable objections to them as well. The worst thing about takedowns is that, by most credible analyses (thank Google as a prominent supplier of those) a significant fraction of them are bogus, in the sense that they are not in line with the intent of the DMCA. The commonest class of offenders is simply trying to harass their competition. See also Chilling Effect.

Design principle according to which it is difficult to inspect and modify the internals of a system. In many cases, the system is deliberately designed to stop working altogether in the face of persistent attacks (see fragile). Tamper resistance may be primarily physical, as in the design of smart cards, or it may be logical, as in tamper-resistant software.

Note: See also Trusted Platform Module . A range of technologies used to protect digital content; a general term which encompasses copy protection and its modern descendants. DRM can and should be more than TPMs, though unfortunately, it is not always so.

Requiring a direct connection to a server e.g. "calling home" over the Internet. From a security perspective, the more often a system connects directly to the Internet, the more secure it can be. A system which never "calls home" cannot know for sure, for instance, whether the serial number its user typed in was also used by 10,000 other users (see UID). A system which calls home EVERY time content is consumed can be very secure, but the associated nuisance level is unacceptable to many consumers. Finding the right balance of times at which to call home is one of the arts of DRM design.

Networked computing paradigm in which most computation is done on a server and the end user's PC, the "thin client", is basically a dumb input-output device. In enterprise markets, where LANs provide lots of bandwidth and managing desktop PC configurations is a major headache for IT departments, thin client computing technologies from companies such as Citrix Systems are doing OK. In the late 1990s, some startup companies promoted consumer thin-client computing (along with streaming), as a means of simplifying user support and implicitly protecting content as well. However, the thin-client experience over residential Internet connections was poor, and it never caught on for consumers. One could argue that it is back in a limited sense with modern Web browsers and HTML5.

When designing a secure system, a necessary step is to ask and answer the question "secure against what?". The answer is a threat model - a documented set of hypotheses about who or what will attack the system, and with what skills, resources, and motives. Threat models have three main purposes:

To improve a design's security by anticipating specific attacks and implementing countermeasures in advance.

To anticipate the varying outcomes of "successful" attacks - such as cracks - and their possible impact.

To enable the creation of advance response plans to deal with significant attacks as and when they occur.

There are useful publically-available frameworks to assist in threat modeling, such as STRIDE from Micrsoft.

Watching or listening to some media programming at a time other than when it was originally broadcast. Taping a TV program on the PVR for later watching - while probably skipping commercials - is the most common example. From a copy-protection point of view, time-shifting is just copying. It's very hard to distinguish between a "temporary" copy for later viewing and a permanent one which might be fraudulently redistributed. Between that and the loss of some attention to TV commercials, neither the networks nor the content owners like time-shifting. However consumers have become very used to it and would not easily accept losing the capability. In recent years the "download-and-go" model for viewing anytime, irrespective of any original broadcast dates, typically on mobile devices, is gaining a lot of traction.

A common figure-of-merit for DRM technology and especially copy protection technology: how long it takes before a newly introduced content protection technology (or more precialy, a title protected by it) is publicly cracked. If it takes an hour, then that technology is unlikely to pay for itself by materially reducing piracy losses. Privately, content owers are very realistic about this economic tradeoff. They know that any anti-copy technology will be cracked, and compare how much extra revenue they might get if a hot title remains uncracked for (say) an extra week, vs. the cost of applying that protection.

A decade ago, the term was used mostly with respect to PC game anti-copy technology. Today, Steam owns that market, and the modern discussion is more often about Blu-Ray video disc releases. The variant term "Time Past Street" is usually used, to mean how many days past its retail sales start a disc is available before a high-quality free "rip" is available, usually via BitTorrent. There are many ways a title can leak even before street date, and not all of them are technologically preventable; a notorious instance of that ocurred in 2014 with The Expendables 3. In practice today, the only effective anti-copy technology for Blu-Ray discs is BD+, which can be slightly different for every disc. Therefore, a good "Time Past Street" is usually the result of an effective application of BD+, along with a lack of leaks earlier in the production chain.

The Innovative Rights and Access Management Inter-platform Solution. As your scribe observed when this was founded in 2001: "Sigh. Does the world really need yet another group solving the problems of DRM interoperability? I think not. This version is led by the European Commission along with a bunch of academic and commercial partners. The emphasis here is on video within the home. Repeat after me: we do not need any more DRM interoperability organizations which include neither Microsoft nor Apple!"

I was right of course, they folded in 2005 with no accomplishments to speak of.

A Personal Video Recorder (PVR) made by the American company of the same name. TiVo is notable mainly because many years ago they petitioned the FCC to approve their device's ability to provide limited copying and sharing of content in spite of the Broadcast Flagand won ! As described the Official Ruling from the FCC, several other content-protection technologies were also approved at the same time.

Since then, unfortunately for Tivo, the PVR has gone the way of many single-function gadgets. Today PVR features are built into most set-top- boxes, and similar experieneces can be had via other services such as NetFlix.

The ability to determine the original source of an item of digital content, and possibly the identity of an individual who downloaded - or licensed- an instance of that content item. The Playboy Web site usd to watermark its images so that Playboy could detect - and prove in court - instances of unauthorized reproduction of their images. (And maybe they still do, your scribe does not spend much time there ;-)). More recently traceability has turned out to be important for video piracy in general and for pay-TV rebroadcasting in particular - see Traitor Tracing below.

Any of various systems designed to figure out the identity of a "traitor" i.e. the person (or more usually, the specific device) which was responsible for removing the copy protection from a piece of content and distributing the unprotected version, for example via a P2P site. The simple forms of traitor tracing involve Unique Identifiers for the device itself, and/or the owner of the device and/or the specific piece of content in combination with one of the foregoing. Sometimes the simple versions work e.g. the watermark based scheme used for online Playboy pictures is technically effective and has held up in court. More recently, tracing the source of illicitly rebroadcast premium live events (usually live sports) in real-time, and shutting such sources down in real-time, is an important security service for many operators. Operators make huge revenues from pay-per-view events and do whatever they can to prevent unauthorized simultaneous rebroadcasting of such content.

Formed in April 2003, this industry group has the same key members as the TCPA, from which it sprang. It laid to rest the "Palladium vs. TCPA" confusion of 2002 by re-unifying the vendors behind a new banner. There's a lot of TCG-type hardware out there, but it's not clear what all of it is actually doing. In the consumer arena, it's never been big and the whole idea of trusted computing has its skeptics, as in the thought-provoking Can You Trust Your Computer ?.

An adjunct hardware security processor commonly built into the System-On-Chip (SOC) modules which power many modern mobile devices. Trustzone from ARM is the best known such technology, licensable as silicon IP. TEEs provide useful security capabilities - such as data and code execution hiding - and have been around for many years, but they have been slow to catch on in terms of actually being used by mainstream software applications. A combination of costs and lack of universal APIs have meant that it was not practical to design an app which untilized a TEE and could still run on a wide variety of devices. In practice this is mostly an issue for the Android ecosystem, which runs the ARM processor family but with a diverse set of manufacturers, software vendors, and operators. Samsung, one of the most dominant Android phone vendors, sometimes leverage TEEs because the cost of developing a Samsung-specific app is justifiable given their economies of scale.

In the DRM world, content providers like the idea of TEEs because they feel their content would be better protected on devices with TEEs, but in most situations they aren't able to dictate the use of TEEs due to the above factors.

Finally, it should be mentioned that Apple too uses TEEs in their client devices; however their huge homogeneous ecosystem gives them a significant advantage whereby the services of the TEE are (directly or indirectly) universally available to apps that need them.

Note: See also Technological Protection Measures. An add-in security hardware component for PCs and mobile devices, currently promoted by the Trusted Computing Group. The TPM provides security primitives including digital signatures, random number generation, protected storage and binding information to the TPM. For the TPM to be useful the PC must have related support in its BIOS and, preferably, Operating System. Several manufacturers build such modules. A big driver driver for uptake of TPMs was supposed to be Microsoft's NGSCB, which fizzled when they decided they couldn't rely on such extra hardware in the mass consumer market.
From a consumer point of view TPMs for PCs are largely irrelevant today. Their descendants (, TEEs, are gaining some traction in mobile devices.

A business model where consumers can try a product for free or at very low cost, with some restrictions, before deciding whether to buy it. If the product is software or media, the trial restrictions (such as limited time use, feature restrictions etc.) are often enforced by a DRM system. This used to be common in the PC game domain, when demos almost always used CDROM delivery - these "demo" versions were actually crippled full-function versions, which could usually be turned into free full-function versions by application of a crack easily found on the Internet. Today such schemes are rare; TBYB is more likely to be seen for Web-based applications where enforcing time or funtional limitations is much easier.

This Web site run by Trymedia served as an aggregation point for PC games treated with their DRM technology, and showed remarkable longevity for the space - it lasted more than a decade, disappearing sometime in 2014; their site now redirects to "GameHouse".

A California-based DRM technology provider whose main focus was the PC game software business. They are notable for surviving long enough, and having solid enough technology, that Macrovision acquired them in summer 2005. Macrovision never made money on it and it was sold at a loss to Real Networks in 2008. The "gamehouse" site which they now redirect to is still part of Real Networks; it is possible that this site continues to use the Trymedia technology but your scribe has no evidence on that point.

A New-York based provider of copy-protection technology bought by Macrovision in November 2002 following earlier strategic investments. Audio CD copy protection leveraging their "SafeAudio" technology was apparently the main goal.

"Universal Device ID", a specific example of a Unique Identifier which is present on all iOS devices from Apple. Such identifiers are extremely useful for many applications, notably DRM, where being able to uniquely identify a device can help prevent Cloning. However it also raises legitimate concerns such as privacy, and in 2011 Apple prohibited third-party developers from using the APIS that handle the UDID. They can effectively do that, because in their ecosystem, every app is vetted by them prior to being posted in an App Store, and API usage checking is part of that vetting process. This may be good for privacy, but it leaves developers scrounging for less reliable information, such as physical network addresses, when trying to get unique data about a device.

A cloud-based system, the brainchild of the Hollywood DECE group, which provides consumers with access to their paid-for content anytime, anywhere over the Internet. The process could be triggered for a given piece of content by, say, an entitlement which came with the purchase of a the particular title on DVD. This is not a bad idea; Hollywood has rightly figured out that a) consumers are getting tired of buying the same piece of content over and over again in different formats for different devices, and b) that there are already pirate "cloud" solutions such as Bit Torrents. So far though, the execution has been uneven and reviews are mixed. Ease of use is an issue, as is reliability of service, and two of the biggest relevant names (Apple and Disney) are not on board.

Unique Identifier (UID, GUID)

A "magic number" associated with a hardware item, software application, user, or item of digital content. If the number is guaranteed to be globally unique it is usually called a "Globally Unique IDentifier" or GUID. Many UID schemes have nothing to do with computers or DRM, such as telephone numbers, mailing addresses, credit card numbers etc. In the computer arena, the best known UID schemes are the Internet Protocol (IP) address space, the globally unique 48-bit physical address of a PC's Ethernet card, and one from Microsoft which uses the latter 48-bit addresses as a basis for software-created GUIDs. GUIDS generated controversy in the late 1990s when it was discovered they were routinely inserted into Microsoft Word documents, providing traceability of the documents whether the originator wanted it or not. (In fairness, this only became publicized when this same traceability was used to track down the author of a nasty computer virus.)

GUIDS arise in DRM :for example, Microsoft gives your PC a GUID if you use protected content in Windows Media Player. User-associable UIDs are of legitimate concern to privacy advocates and led, for example, to Intel's CPU Serial Number Fiasco.

Usage Control & Usage Rights

Since copying arguably cannot be effectively prevented, a superior approach would be to forget traditional copyright, and copy control, let copying happen anyway and control the USE of digital goods. That is, playing the video game or watching the video. This approach is not a silver bullet - security is still hard to do well, for example - but at least it works WITH, not AGAINST, the key characteristics of the Internet. The same networks which make worldwide copying easy, can also making "calling home" to acquire usage rights easy. This was the philosophy of the too-far-ahead-of-its-time NetActive, and has been dabbled with since, but there are no signs of wide commercial adoption.

usenet

An Internet-based collection of user-submitted notes or messages on various subjects that are posted to servers on a worldwide network. Usenet predates the World Wide Web and usenet support has been dropped by many ISPs. Younger Internet users tend not to know of it, although they may see it indirectly through Web-based intermediaries such as Google groups. Usenet has been important to DRM as it served as a discussion and exchange forum both for developers (e.g. group "sci.crypt") and for hackers (e.g. group "alt.2600.cracks").

V

Valenti, Jack

Jack was chairman of the MPAA for nearly four decades, from the 1960's until after the turn of the millennium. He was friend to presidents going all the way back to Lyndon Johnson, and epitomizes the extreme political savvy that has enabled the American entertainment industry to largely dictate (for example) copy-protection technologies to much larger industries, such as PCs and consumer electronics.

The SMPTE designation for Microsoft's Windows Media Player 9 codec, which Microsoft in effect gave away to help it become a designated video format in next-generation Consumer Electronics. In this form the codec does not use Windows Media DRM, but instead will use whatever DRM a platform, such as a Blu-Ray player, might have. This eventually emerged in 2006 as standard SMPTE 421M. The main alternative, the MPEG-4 version of H.264 must also be supported by Blu-Ray players.

Anti-copy technology from Philips (or at least licensed by them), mandated by the FCC, to prevent DVD recorders from recording broadcast television programs if the Broadcast Flag prohibited it. Since the Broadcast Flag never took off, neither did this standard.

Microsoft's legacy Windows operating system release, originally codenamed Longhorn. It seemed to fit Microsoft's pattern of alternating decent (e.g. 98, XP, 7) and horrible (e.g. ME, Vista, 8) OS releases, and it was widely scorned by consumers, many of whom waited for Windows 7. Vista did not include hardware-based security a la NGSCB (although it was rumored to have such in the years prior to its release) but did include a number of significant DRM-related software technologies, such as PVP-OPM.

W

warez

Net slang (going back to the 1990s PC scene) for redistributable stolen software. Warez involves redistributing entire software applications, which are much larger than cracks. Today, broadband internet access makes moving large warez files around easy, so warez and cracks are are just different parts of the relevant threat models. For the same reason, both warez and cracks are getting harder to find on the Web as sites are regularly shut down, and are relegated to the Darknet e.g. certain corners of Internet Relay Chat, or torrent sites.

In the mobile world, the situation is a bit more complicated. Consumers with, say, an intact iOS device, are unlikely to seek or use stolen software for it, because the ecosystem makes that very hard. But unscrupulous developers have been known to download someone else's app, tweak it slightly, and re-submit it to the AppStore as their own - a subtler form of theft. Such antics are even easier in the Android ecosystem since the self-signing and multiple stores used by Android severely limit the ability to police apps.

Watermarks, Digital Watermarks

Watermarking, a type of steganography, is the insertion of (usually) hidden data such as copyright information, into perceptible data such as a JPEG image or a music file. There are various kinds of watermarks, depending on the purpose of the embedded data, whether it is the same for each instance of a given content item, whether one or both of the signals are analog vs. digital, how subtly the data is embedded, and how visible the data is. While the technology is reasonably mature, deployment of watermarking is sporadic, because it usually involves more than one corporate entity within an ecosystem and the interests of the parties do not always align. For instance, a content provider might want to know which TV service operator a particular item of their content had been stolen from, but it is not in the operator's interests to spend money deploying a system which could reveal that information. See also traceability."

A New England based company which pursued a hardware-assisted version of the superdistribution vision for over a decade. They are driven by the Sprague family, members of the New England establishment who have a history of technological inventiveness going back more than a century. This is a good thing, as they have mostly been way too far ahead of their time to make a profit. They were key players in the Trusted Computing Group. More recently, they have largely abandoned the consumer / DRM market and have focused on leveraging hardware security capability which is in fact present on most enterprise PCs to improve corporate security.

An interesting attempt at superdistribution for music files which emerged in 2004. Weedshare's creators were evidently Seattle-area musicians. Wisely- and unusually for the field- they chose to innovate ONLY on the superdistribution business model, and use third party technology for the rest: Paypal for payments and Microsoft Windows Media Player for DRM. It was pretty good idea. Unfortunately, the Windows media Player DRM (WMDRM) evolved in a direction that no longer supported their superdistribution model and they ceased operations in 2007. Conspiracy theorists might think Microsoft deliberately introduced technological incompatibilities to impact Weedshare, but this is very unlikely as Weedshare was never very successful and thus was not likely a target for the giants of Redmond.

There is a music site at that URL today, but it sppears to be a completely unrelated free indie music startup site.

A component whose boundaries are well defined and whose inputs and outputs can be observed (and perhaps the inputs manipulated), and which also has internals which can be observed and possibly manipulated. It is very difficult to implement a system with robust security on a white box platform. (Indeed, from an academic/mathematical perspective, many would say it is impossible, depending on the system's security requirements.) The PC is a classic white box, which is one of the reasons that content protection on PCs is extremely hard to implement robustly. It is also one of the reasons that PCs are fantastically versatile, ever-improving, general-purpose machines. To a large extent, modern mobile devices, especially Android phones, are also white boxes.

A hacker with benevolent intent. That is, someone who possesses the technical skills to invade systems, defeat protection mechanisms, etc. but who uses them only for "good" reasons e.g. helping companies assess and improve their security. Some white hats are security consultants who used to be black hats. There's even an official certification for white hats called "Certified Ethical Hacker". Of course, there is debate about what is "good". For example, some people feel that publicizing security vulnerabilities which have not been fixed is irresponsible, while other argue that it is the only way to get some corporations to improve the security of their products in a timely fashion.

An audio codec and from Microsoft, which is compatible with Windows Media Player and and usually associated with the ASF file format. Nowadays other audio codes are more dominant , notably Apple's AAC.

Windows Media Data Session Toolkit

An initiative from Microsoft in the Audio CD anti-copy arena. Like all such schemes, it couldn't really be both effective and user friendly within the constraints of the relevant standards and devices. It never took off and no-one bothers protecting CD-quality audio anymore anyway.

Windows Media Player

The dominant media player system from Microsoft. Windows Media Player includes DRM capability which, because Microsoft is the 800-pound gorilla in the PC space, is the only serious competition to iTunes for PC media. Microsoft has inherent advantages, in that it owns the operating system and can also exert considerable influence over peripheral manufacturers e.g. to include crypto functions on sound cards. This same dominance - and anti-Microsoft bias among parts of the "techno-geek" community - also ensures that Microsoft DRM security is subject to relentless attacks. The security has stood up quite well nonetheless, with no major cracks in the last couple of years.

WMDRM-ND

Windows Media DRM for Network Devices, a Microsoft proprietary architecture for protecting media streamed over digital packet point-to-point links within the home e.g. from one "Network Device" such as a computer, to another network device such as an IP set-top box. Of course, the content has to be protected inside the boxes as well. To this end Windows Media player 11 supports a content export API for source devices and a corresponding content import API for sink devices. This enables an all-Microsoft solution - which could be a good thing or a bad thing depending on your point of view. Its main competition is DTCP. The source is dubbed WMDRM-NDT (Network Device, Transmitter) while the sink is WMDRM-NDR (Network Device, Receiver). Despite the name, this is also supported by their more recent PlayReady technology.

Announced in 2003 and based on Windows Server 2003, this is the first time that Microsoft offered DRM capability which supported the development of DRM-controlled applications by third parties. It's still around, by various names, but it seem it is mostly used to control documents created by Microsoft's own products, such as Office.

wrapper

A common paradigm for digital content protection, in which a digital asset in some known form such as MP3, Win32 *.EXE or MS Word *.DOC, is "wrapped" using cryptography so that it can only be accessed with the help of an "unwrapping" agent that knows the key. Typically these agents are not stand-alone programs but are "behind-the-scenes" and automatically invoked - in systems where they have been installed- when the affected files are accessed in the "normal" e.g. point-and-click fashion.

Almost all media-protection schemes use cryptographic wrappers around common formats, which means that to obtain any useful level of security they must build in countermeasures to attacks such as key discovery and wedges.

If the item being wrapped is a binary executable file such as a .exe, .dll or .so, the technology is similar in spirit but somewhat different in implementation. Usually, the distributed form of the application contains a "stub" program which conforms to the requirements for loadable files in the particular operating system, but which does not expose the "real" program. The "real" program is stored as an encrypted payload inside or outside the stub, which is only un-encrypted at run time. Absent other measures, the entire program will be exposed once decrypted into working memory, but that at least forces an attacker to do Dynamic Analysis, which ups the required skill level and provides a useful additional degree of security. This technology is sometimes also called a Secure Loader.

X

xBox

Microsoft's video game console family. Although game consoles are not a primary focus of this site, game consoles in general and the original xBox in particular are interesting from a security technology point of view. It was a direct architectural descendant of the PC, with modifications in three broad areas: cost, fixed-function simplicity, and security. Like all game consoles even to today, it used Platform Security implemented in hardware as well as software. It would only run applications signed with a 2048-bit private key, which originally could only be worked around by using a hardware modchip. Hackers later figured out how to run unsigned code without a modchip. In addition the xBox used encrypted boot blocks and an encrypted kernel, with some "fake" FLASH BIOS data replaced at run-time with code hidden in the hardware of the "south bridge" bus chip. This was all the subject of a well-documented collaborative attack led by "Bunnie" Hwang, an MIT doctoral student at the time.

The bottom line is that, although Microsoft was reasonably diligent in the original xBox's security design, the hacker community has an amazingly high level of skill and loves to attack Microsoft. There have been more generations since then and various hacks to them have continued over the years; however, given that games are much more on-line now than they were a few years ago, that provides more opportunity to "call home" and use servers to help maintain the integrity of the devices. The next result is typically that someone with a hacked platfrom can't go online at all without being detected, and given that many games are online multiplayer games, and these devices are now also online media players, being offline is unappealing. So in practice few such devices are hacked currently.

xCP -eXtensible Content Protection

An interesting foray by IBM into domestic DRM as described in this Internet News article. The idea of a domestic "domain" of devices sharing content was reasonable, but it didn't get much beyond a lab demo in 2003; indeed, IBM seems to have lost interest in consumer DRM in general after that. Microsoft and Intertrust have since implemented similar domain concepts in their consumer DRM technologies.

XMCL - eXtensible Media Commerce Language

A legacy proposed XML-based rights-expression standard from Real Networks. It seems all they wanted was a press release - Real Networks never really tried to establish it as a serious competitor to XRML. It was submitted to the W3C, but went no further.

A legacy Electronic Software Distribution (ESD) technology developed in the mid 1990s by Portland Software. Portland Software and ZipLock were absorbed by Preview Systems in 1998, which in turn was absorbed by Aladdin and so on. ESD by itself (i.e. without value-add such as DRM) is no longer a viable business, if indeed it ever was.

Microsoft's attempt at an "iPod Killer", which came out in 2006 and was finally abandoned in 2011. Your scribe was in the business when it was launched and, like many others, was baffled by Microsoft's strategy. It was easy for them to see that the vertical-market strategy of Apple was working well. But the iPod was firmly entrenched already and displacing it would have required something miraculous, not just something very good (which the Zune arguably was). Some remnants of the Zune technology are still to be found in the Xbox.

Disclaimer

Gord Larose, author of these pages, was employed by NetActive and invented much of their key technology. NetActive is no longer active so Mr. Larose is no longer associated with the company. Gord is currently employed by Irdeto, but this site is maintained with his own time and resources, and is still an objective source of insight on the DRM landscape.